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Abstract. We consider the problem of bounded model checking (BMC) for linear tempo- 
ral logic (LTL). We present several efficient encodings that have size linear in the bound. 
Furthermore, we show how the encodings can be extended to LTL with past operators 
(PLTL). The generalised encoding is still of linear size, but cannot detect minimal length 
counterexamples. By using the virtual unrolling technique minimal length counterexam- 
ples can be captured, however, the size of the encoding is quadratic in the specification. 
We also extend virtual unrolling to Biichi automata, enabling them to accept minimal 
length counterexamples. 

Our BMC encodings can be made incremental in order to benefit from incremental 
SAT technology. With fairly small modifications the incremental encoding can be further 
enhanced with a termination check, allowing us to prove properties with BMC. 

An analysis of the liveness-to-safety transformation reveals many similarities to the 
BMC encodings in this paper. We conduct experiments to determine the advantage of em- 
ploying dedicated BMC encodings for PLTL over combining more general but potentially 
less efficient approaches with BMC: the liveness-to-safety transformation with invariant 
checking and Biichi automata with fair cycle detection. 

Experiments clearly show that our new encodings improve performance of BMC con- 
siderably, particularly in the case of the incremental encoding, and that they are very 
competitive for finding bugs. Dedicated encodings seem to have an advantage over using 
more general methods with BMC. Using the liveness-to-safety translation with BDD-based 
invariant checking results in an efficient method to find shortest counterexamples that com- 
plements the BMC-based approach. For proving complex properties BDD-based methods 
still tend to perform better. 
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Introduction 

Bounded model checking |BCCZ99] was introduced as an alternative to binary decisions 
diagrams (BDDs) to implement symbolic model checking. This paper describes some of the 
key results of [LatOSl ISchOGj on bounded model checking, and some extensions. The main 
results have been published in |LBHJ04l ILBHJ051 IHJL051 ISBOil [SB05] . 

The basic idea behind bounded model checking (BMC) is to restrict the general model 
checking problem to a bounded problem. Instead of asking whether the system M violates 
the property tp, we ask whether the system M has any counterexample of length ktotp. This 
bounded problem is encoded into SAT, the propositional satisfiability problem, in order to 
obtain the benefits of symbolic representations of states. In other words, a Boolean formula 
I [M, -1-0, A;] I is generated which is satisfiable iff M has a counterexample to ip of length k. 
The satisfiability of this formula can then be checked with a SAT solver. 

The key insight behind BMC for linear-time formalisms such as linear temporal logic 
(LTL) is that a witness for LTL given as an infinite execution path of the system can 
be captured by a finite path in two ways: either the finite path represents all its infinite 
extensions or the finite path loops and in fact captures the behaviour of an infinite path. 
Let TT = SQS1S2 ■ ■ ■ be an infinite path of a system. We say that vr is a (fc,/)-loop if vr = 
(sqSi . . . si^i){si . . . Sk)'^ such that < I < k and si^i = Sk- 
in BMC the transition relation T(s, s') of a system M is represented symbolically as a 
Boolean formula, where the states s, s' are modelled as bit vectors. To capture the finite 
paths of length k, we unroll the transition relation k times and obtain the following Boolean 
formula: 

fe 

|[M]|, ^/(so)A/\r(5,_i,5,)- 

i=l 

Here I{s) is the initial state predicate and T{s, s') a total transition relation predicate. 
Since only counterexamples to the given LTL formula should be accepted, additional 
constraints must be generated to restrict the models of the Boolean formula. If we denote 
the formula constraints by IHV'llfc) the Boolean formula | [M, -■•i/', A;] | ^ A IHV'IIa; 

satisfiable iff M has a counterexample of length k to ip. 

Compared with using BDDs to implement symbolic model checking, BMC has a few 
advantages. BMC can leverage the impressive gains that have been achieved in SAT solver 
technology in recent years |BS05j . The increase in efficiency of the solvers can directly be 
translated to more effective BMC. The use of SAT procedures as a practical implementation 
technique to search for bounded length executions of systems has also been used in the 
context of SAT-based artificial intelligence (AI) planning |KS92l IKS96j and in sequential 
ATPG [KL93j . In practice, SAT solvers seem to be able to solve certain problems that are 
not feasible for BDDs. 

An important advantage of BMC is that the counterexamples produced by most BMC 
encodings are minimal and that the counterexample is immediately available. Producing 
short counterexamples using BDDs is a fairly involved process |CGMZ95] and minimality 
is seldom guaranteed. In many cases producing the counterexample consumes more re- 
sources than answering the model checking query [CGMZ9"5] . However, recently a BDD 
model checking procedure [SB05j based on the BMC encoding of |LBHJ05] was presented 
that provably produces minimal counterexamples. The method appears to consume more 
memory than standard BDD model checkers, but can in some cases be faster. 
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Boolean formulas, or more specifically circuits, are a more compact encoding than BDDs 
for many Boolean functions: there are Boolean functions whose BDDs are exponential in the 
number of propositional variables |Bry86| that still have polynomial circuits. However, since 
BMC represents the length of the paths explicitly it is not always more space efficient than 
using BDDs |CKOS04] . For instance, for a simple binary counter system an exponential 
number of unrollings of the transition relation is required before the system loops and we 
can be sure that the whole behaviour of the system has been covered. 

Although BMC has been very successful in practice |BCRZ99l |CFF+01| IStr04j , im- 
proving BMC remains a high priority. Increasing the efficiency of BMC can be done in 
several ways. Two important approaches are developing smarter encodings of the problem 
to SAT and utilising improvements in solver technology. Better encodings of the problem 
boil down to finding new representations of the formula |[M, -i^, which are easier for 
the SAT solver. As a rule of thumb, good BMC encodings are compact but still propa- 
gate information efficiently, thus minimising the non-deterministic choices the solver has to 
make. 

LTL with temporal operators that can reference the past is exponentially more succinct 
than LTL [LMS02j . In many cases the future fragment of LTL, which is the only fragment 
usually supported, is not expressive enough in practice. The main argument for adding 
support for past operators is motivated by practice: LTL with past operators (PLTL) allows 
more succinct and natural specifications. Especially compositional reasoning benefits from 
the added succinctness |LPZ85j . Efficient encodings for LTL with past operators is therefore 
one way to increase the usability, efficiency, and the scope of BMC. Utilising new solver 
technology such as incremental SAT solvers can result in huge benefits for BMC [WKSOlj 
IStrOlj . When solving a sequence of similar SAT problems, as is the case in BMC, an 
incremental solver can retain much of the learned clauses obtained while solving earlier 
related instances. This can result in large time savings for solving the whole sequence of 
problems. The benefits of incremental SAT technology can be maximised by adapting BMC 
encodings to suit the incremental framework. 

In this paper we will introduce several efficient BMC encodings for LTL that all have 
linear size encodings in the bound k. Efficient encodings can make a big difference when the 
specification is complex |LBHJ04] . We will present several encodings that take a slightly 
different view of the problem. In particular we highlight the relation of BMC encodings 
to the automata-theoretic approach to model checking [Kur941 [VW86j . We also show how 
our encodings can be efficiently generalised to PLTL. The generalised encoding is still of 
linear size in the bound and in the size of the PLTL formula but does not detect minimal 
length counterexamples. By increasing the size of the encoding to quadratic in the size of 
the PLTL formula, minimal length counterexamples can be guaranteed. Our technique is 
based on virtual unrolling |BC03j . We also show how virtual unrolling enables symbolic 
Biichi automata to detect minimal length counterexamples. 

Furthermore, with some modifications, our new more efficient encoding for PLTL can 
be adapted to utilise incremental SAT technology. We try to maximise the number of learnt 
clauses which can be kept when the solver moves from one problem instance to the next 
(i.e., when the bound k is increased). Experiments show that the increase in efficiency can 
be quite dramatic. 

Model checking w-regular properties depends on finding fair loops in the system. Using 
the liveness-to-safety model transformation |SB04j . fair loop detection can be integrated in 
the system model. This effectively reduces the general unbounded model checking problem 
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to reachability of bad states. We present the technique and discuss similarities with the 
BMC approaches introduced in this paper. In experiments we compare the performance of 
invariant checking, after translating liveness to safety, with dedicated BMC encodings for 
PLTL. 

From its inception BMC has been predominantly seen as an efficient method for finding 
bugs. BDD-based methods have had the advantage of being complete and thus being able 
to prove that no counterexample exists. However, several methods have been developed in 
the recent years which can be used to achieve completeness with BMC (see for instance the 
recent survey jPBG05j ). Our incremental encoding can also be extended with a termination 
check. The approach naturally integrates with our incremental approach and can prove 
properties for full PLTL. 

We implemented the BMC encodings and the liveness-to-safety transformation on top 
of the NuSMV system |CCG+02] . version 2.2.3. Starting with version 2.4.0, the BMC en- 
coding variant published in |HJL05j and discussed in more detail in this work has recently 
become a part of the standard distribution of NuSMV |NuSj . Based on the former, we have 
experimentally evaluated the encodings using a large set of models with complex specifica- 
tions. Compared to the original encoding |BCCZ99] and its newer versions |CPRS02l IBC03] . 
our new linear encodings are clearly superior. We observed additional impressive perfor- 
mance gains for the incremental versions. Alternative linear sized encodings to do BMC 
based either on the liveness-to-safety transformation and invariant checking or on Biichi 
automata and fair loop detection did not prove quite as effective as the dedicated BMC 
encodings, although they were clearly more efficient than the original encoding and its rel- 
atives. With the termination check activated our linear BMC encoding did not perform 
quite as well as without it, but still better than old encodings. For proving properties 
BDD-based methods perform better. It is clear that the termination check must developed 
further in order for BMC to be competitive also for proving properties. Combining the 
liveness-to-safety transformation with BDD-based invariant checking results in an efficient 
BDD-based method to find shortest counterexamples. It significantly reduces the length of 
counterexamples in comparison to the standard BDD-based algorithm. It performs com- 
petitively with SAT-based methods for this purpose and complements them with respect to 
solved examples. Using virtual unrolling for Biichi automata with the standard BDD-based 
algorithm significantly increases running time and gives mixed results at best in terms of 
counterexample length. 

In the next section we will introduce basic notation and recall fundamental definitions 
that will be used throughout the paper. In Sect. [2] the basics of bounded model checking 
are described and the results of the original BMC-paper |BCCZ99] are discussed. Sec- 
tion [3] presents our efficient BMC encoding for LTL published in |LBHJ04] . The section 
also considers alternative encodings of the BMC problem and contrasts the encodings to 
model checking based on symbolic Biichi automata. Section [J] presents the liveness-to-safety 
transformation and discusses its connection to the presented BMC encodings. To extend 
BMC to full PLTL, we use the technique of "virtual unrolling". We present our generalised 
BMC encoding that encompasses full PLTL in Sect. [5l We also show that virtual unrolling 
also can be applied to symbolic Biichi automata. Section [6] shows how our encodings can 
be adapted to the incremental setting |HJL05j . The adapted encodings are developed to 
maximise the information learnt between the SAT solver invocations. In Sect. [7] we discuss 
how BMC can be made complete. Specifically we show how our encodings can be extended 
with a termination check to achieve completeness. Section [8] experimentally compares the 
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different encodings presented in the paper. We discuss conclusions and directions of future 
work in Sect. [9l 

1. Preliminaries 

1.1. Linear Temporal Logic with Past. Linear temporal logic with past (PLTL) is a 
commonly used specification logic. Although all PLTL properties are definable using only 
two basic temporal operators (U and X), it has been argued that especially compositional 
reasoning benefits from the use of past operators |LPZ85j . Using only the basic operators 
results in a logic that is exponentially less succinct than PLTL jLMS02j . 

The syntax of PLTL is defined over a set of atomic propositions AP. Boolean operators 
we use are negation, disjunction and conjunction. The temporal operators we will use are 
"next time" (X ) and its two past-time counterparts, the "previous time" past temporal 
operators (Y , Z ); the future temporal connectives "until" (U) and "release" (R) and their 
past-time counterparts "since" (S) and "trigger" (T). We will call the commonly used 
subset of PLTL that does not contain any past temporal operators linear temporal logic 
(LTL). 

The semantics of a PLTL formula is defined along infinite paths vr = sqSi . . o of states 
Si where we assume a mapping L from each state to the set of atomic propositions true in 
that state. Let vr* denote the path vr with a designated formula evaluation position i. The 
semantics can then be defined inductively as follows: 





hp 


4^ 


p e L{si) for p e AP. 


TT* 






^\ h p- 


TT* 


h V-i V 02 




TT* \= -01 or tt' ^ V'2- 


TT* 


h -01 A -02 




TT* 1= tAi and tt' [= ?/)2- 


TT* 




<^ 




TT* 




<^ 


3j > i such that tt-' ^ -02 and tt" ^ -0i for alH < n < j. 


TT* 


1= -01 R -02 


<^ 


for all j > i : t:^ \== ip2 or tt" |= 0i for sonic i < n < j. 


TT* 


hY01 


<^ 


i > and tt*^^ ^ tpi. 


TT* 




<^ 


i = or TT*^-'- ^ ipi. 


TT* 




<^ 


3 < j < i such that tt-' ^ 7/12 and tt" ^ -0i for all j < n < i 


TT* 


h V'l T 02 


<^ 


for all < J < i : TT^ H "02 or tt" 1= -0i for some j < n < i. 



Commonly used abbreviations for PLTL formulas are the standard Boolean shorthands 
T = p V -ip for some p G AP, _L = -iT, p^q = ^p\/q, p4^q = {p ^ q) A {q ^ p), 
and the derived temporal operators F ipi = T \J ipi ('finally'), Gipi = -iF -1-01 ('globally'), 
O ijji = T S ipi ('once'), and H^/^i = _L T Vi ('historically'). 

It is always possible to rewrite any formula to positive normal form, where all negations 
only appear in front of atomic propositions. This can be accomplished by using the dualities 

-.(V'lUV2) = ^Ipl R--'V'2, -'(^lR0'2) = ^"01 U-.V'2, -'XV'l = X-.'0i, -■YV'l = Z-.'0i, 

-iZ =Y -101, -I (0^1 S ip2) = ^ipi T -'02, {ipi T 0^2) = ^ipi S ~'V'2i and DeMorgan's rules 
for prepositional logic. In this paper we assume all formulas are in positive normal form 
unless otherwise explicitly stated. 

"'^We use commas between elements of a tuple (such as a state consisting of the valuations of several state 
variables) and no separator between elements of a sequence (such as a path). While we generally follow the 
latter convention also for composition of sequences, we sometimes prefer to emphasise composition using o, 
e.g., if the entire sequence spans multiple lines. 



6 



A. BIERE, K. HELJANKO, T. JUNTTILA, T.LATVALA, AND V. SCHUPPAN 



The maximum number of nested past operators of a PLTL formula is called the past 
operator depth. 

Definition 1.1. The past operator depth [LMS021 IBC03| for a PLTL formula ip is denoted 
by 6{ip) and is inductively defined as: 

5{p) =0 for p G AP, 

5(oV^i) =5(V^i) for oG{^,X}, 

(5(^1 o ^2) = max {6 (tpi), 5 (11^2)) for o g {v, A, U, R} , 

^(oV'i) =l + 5{^pi) for o G {Y,Z},and 

5(^10^2) = 1 + max ((5(^1 ), 5(^2)) foroG{S,T}. 

The set of subformulas of a PLTL formula ^ is denoted by cl{^) and is defined as the 
smallest set satisfying the following conditions: 

^|J G cl{-tp), 

if o ipi ^ cl{ip) for o G {-■, X , Y , Z } then ipi G cl{ip), and 

if ^1 o ^2 G cZ(^) for o G {V, A,U,R, S,T} then ^/-i, -02 e cZ(V'). 



1.2. Kripke Structures. The states of a path are members of the finite set of states S of 
a model (a Kripke structure) M = (S, T, L, L) with a total transition relation T, a set of 
initial states /, and a mapping L : S ^ 2^^ indicating the set of atomic propositions that 
are true in a state. L is extended to sequences of states (paths) in the natural way. A path is 
initialised iff its first state belongs to /. The set of initialised infinite paths is denoted H. The 
language of a Kripke structure can then be defined as Lang(M) = {a | Bvr G H . L(tt) = a}. 

Sometimes we equip a Kripke structure with a number of acceptance sets (or fairness 
constraints) Fq, . . . , Ff, where each Fm, < m < / is a subset of 5. M = [S, T, L, L,F = 
{Fq, . . . , Ff}) is then called a fair Kripke structure. A path in M is fair iff it contains 
infinitely many occurrences of states from each acceptance set. H and Lang(M) are then 
restricted to fair paths. 

We usually construct a Kripke structure symbolically over a set of variables V. In that 
case the set of states 5 is given by the set of valuations of V, possibly constrained by a set 
of state invariants. Similarly, /, T, and Fq,. . . ,Ff are the largest subsets of 5 or 5 x S 
fulfilling certain constraints. The valuation of a variable u in a state s is denoted v{s). 

For a Kripke structure M we say that a formula ipi holds in M if for every infinite 
initialised path vr of M we have that tt \= if^i. This is denoted M \= ipi. For a formula to 
hold in a fair Kripke structure it is required to hold only along all fair paths. 

1.3. Blichi Automata. Biichi automata are frequently used as an operational model of 
the more descriptive PLTL formulae |VW86j . In this paper a Biichi automaton is simply 
a fair Kripke structure. However, if we speak of a "model" we refer to a Kripke structure 
that is to be verified (it is used as a language generator). When we say "Biichi automaton" 
we intend a Kripke structure to serve as a specification (it is used as a language acceptor). 

A Biichi automaton B has a run vr on an infinite sequence a over 2"^^ iff vr is an 
initialised path in B with L{'n) = a. The run is accepting iff it is fair. Hence, B has an 
accepting run on a iff a G Lang(i?). 

Typically a Biichi automaton B specifies undesirable behaviour. The question whether 
a model M conforms to the specification then reduces to the question whether there is an 
initialised fair path in the product M x B |VW86j . As both M and B are finite state the 
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O 

(a) (A,/)-loop (b) no-loop 

Figure 1: The two possible cases for a bounded path 

search for such a path can be restricted to lasso-shaped paths, i.e., paths which are of form 
P^^, where (3 and 7 are finite paths. 

If a witness to the violation of the specification is to be extracted from an initialised 
fair path in the product of M and B for debugging, it is desirable that this path is short. A 
Biichi automaton is tight iff for every a = (3^^ G Lang(i?) it has an accepting run p = ar'^ 
such that a and p have the same shape: = \(t\ and I7I = |t| |SB051 IKVOlj . Hence, 
the Biichi automaton can adapt as a chameleon to the shape of any potential lasso-shaped 
witness. 

2. Bounded Model Checking 

The main idea of bounded model checking |BCCZ99] is to search for hounded witnesses 
for a temporal property. A bounded witness is an initialised infinite path in which the 
property holds, and which can be represented by a finite path of length k. A finite path can 
represent infinite behaviour, in the following sense. In (a) the (A;, Z)-loop case the finite path 
forms a loop and contains all infinite behaviour, or (b) the no-loop case when the finite path 
represents all its infinite extensions. More formally, an infinite path vr = sqSiS2 ... of states 
contains a (fc, Z)-loop, or just a A;-loop, if vr = {sqSi . . . si^i){si . . . Sk)'^ such that < / < /c 
and s/_i = Sfc. The two cases we consider are depicted in Fig. [TJ 

In BMC all possible fc-length bounded witnesses of the negation of the specification are 
encoded as a SAT problem. The bound k is increased until either a witness is found (the 
instance is satisfiable) or a sufficiently high value of k to guarantee completeness is reached. 

Note that as in |FSW02l IBC031 ILBHJ041 ILBHJ051 IHJL05| t he shape o f the loop and 
accordingly the meaning of the bound k is slightly different from |BCCZ99] . In this paper 
a finite path of length k always has k transitions, and an infinite path with a loop contains 
the looping state twice, at position / — 1 and at position k. 

Bounded model checking uses a hounded semantics of PLTL which safely under-approxi- 
mates the normal semantics. It allows us to use a bounded prefix Tr^ = sqSi . . . Sk of an 
initialised infinite path vr to check the formula. The semantics is split into two cases. If the 
infinite path vr is a fc-loop a different semantics is used than in the case where it is not a 
/c-loop. The definition below assumes the formula is in positive normal form. 

Definition 2.1. (See also |BCCZ99l IFSW02j . ) Given an initialised infinite path vr and 
bound k G N, TT \=i^ ip iff (a) vr is a {k, I) -loop for some < I < k and \= ^, or (h) 
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\=nl ip, where: 





hnl 


P 


<^ 


TT* ^ p. 










hnl 




<^ 












Nnl 


Ipl A 'ip2 


<^ 


tt' Ipl and tt' |=„i V'2- 








tt' 


hnl 


Ipl V '02 


<^ 


Tt' hnl 01 or TT* |=ni ?/'2 ■ 










hnl 




<^ 


z < and TT^^^ \=^ai Ipl. 








TT* 


hnl 




<^ 


3* < i < fc suc/i that TT^ ^nl 


■02 


and tt" 


hnl V"! for alii <n < j 


TT* 


hnl 


^1 R. V'2 


<^ 


3* < J < SMc/l t/iai TT^ ^nl 


V'l 


and tt" 


hnl V'2 /or alii <n < j 


TT* 


hnl 




<^ 


i > and tt'""'" [=ni 01. 








TT* 


hnl 


ZVi 




i = or TT*"-'^ ^nl 01- 








TT* 


hnl 


f/'i s '4>2 




30 < J < i sMc/i i/ia< tt^ |=ni 


V'2 


and tt" 


hnl V"! /or all j <n<i 


TT* 


hnl 


01TV2 


<^ 


/or all < j < i : t:^ |=ni ^02 


or 


tt" hnl 


Ipl for some j < n < i. 



Because the language defined by the models of a PLTL formula belong to the w-regular 
languages, we can restrict ourselves to searching for ultimately periodic witnesses in our 
models. Notice that for every ultimately periodic infinite path vr, the bounded semantics 
becomes equivalent to the exact semantics when the k grows large enough to represent vr as 
a {k, Z)-loop. Thus for a model M and a PLTL property ip there always exists some /c G N 
such that the bounded semantics becomes exact, i.e., M \= tp iS M hfc V'- 

2.1. Original BMC Encoding for LTL. The original encoding |BCCZ99] is defined 
recursively over the structure of the LTL formula ip and the current position i. It is param- 
eterised by the bound k, the start of the loop I and closely follows the bounded semantics 
of Def. 12. 1[ Therefore, for fixed i, k, and I, each sub formula F-^i resp. Gipi of ip requires 
constraints of size 0{k) using the encoding of ipi at various positions. The binary operators 
U and R need constraints of size 0{k'^). Since the encoding of a subformula V'2 is only de- 
pendent on i, I, and k, and, in particular, multiple occurrences of the encoding of V'2 under 
the same set of parameters can be shared, the overall size can be bounded by 0{\ip\ ■ k^). 

Parts of the constraints can be shared for different i. This reduces the overall complexity 
of the original encoding to 0(|i/'| • k^). It can be reduced even further to 0(|V'| ■ k), if only 
unary future temporal operators occur in ip. As example consider the formula ip = F Gp. 
As shown in |CPRS02| ILBHJ04] a linear encoding of ip can be obtained by optimising the 
original encoding using associativity and sharing. The encoding of, for instance, G (r — > (pJJ 
q)) is at least quadratic no matter what simplifications based on sharing and associativity 
are used |LBHJ04j . 

Even if more sophisticated circuit optimisations would allow to reduce the cubic original 
encoding to linear size, it is much more natural to start with a linear encoding in the first 
place. Finally, the original encoding translates looping and non-looping witnesses separately, 
while more advanced encodings, as discussed in this article, combine both. 

It is tempting to use the recursive one step identities of the (unbounded) semantics of 
temporal operators V'l UV'2 ^ V'2 V {ipi AX (V'l UV'2)) and ipillip2 = V'2 A (V'l VX {ipi R'02)) 
without any notion of fairness to encode LTL in a straightforward way, as for instance 
suggested in [BCC"'"03] . In order to represent all witnesses for Gp in a Kripke structure 
consisting of a single state with a self loop the following propositional formula can be used: 

I{so) A rGso,so) A \[Gp]\„ A {\[G p]\^ ^ po A \[G p]\^) . 
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Note the direct translation of the one step identity of the semantics of G on the right side. 
In this case, and in general for temporal operators with greatest fix-point semantics, this 
construction is sound, because the existence of an arbitrary fix-point implies the existence 
of the greatest fix-point and the recursively defined variable, denoted |[Gp]|q, has only 
positive occurrences. 

If applied in a nai've way, the same construction is incorrect for temporal operators 
with least fix-point semantics, as the following example shows. Again we are interested in 
all witnesses consisting of a single state with a self loop, but now for the LTL formula F p. 
Using the same construction as above, simply following the one step LTL identities of F 
without any notion of fairness the following propositional encoding is obtained: 

/(so) A T(so,so) A |[Fp]|o A (|[Fp]|„ ^ po V |[Fp]|o). 

This formula can always be satisfied as long the transition relation has a self loop in an 
initial state by setting the boolean variable |[Fp]|q to T. Therefore it will hold even if p is 
false in the initial state, and the encoding is therefore incorrect. 

3. Improved Encodings of Bounded Model Checking for LTL 

In this section several alternative bounded model checking encodings for LTL (i.e., 
PLTL without past temporal operators) are presented. How to extend the approaches to 
full PLTL containing also past temporal formulas is the topic of Sect. El 

3.1. BMC for LTL with Fixpoint Evaluation. One of the key factors affecting the 
efficiency of BMC is the size of the resulting SAT encoding. If the encoding produces 
unnecessarily large formulas the solver can quickly be overwhelmed, and we may not be 
able to proceed deep enough to find all violations to the specification in the design under 
model checking. 

In |LBHJ04] we presented a BMC encoding to SAT for LTL which is linear in k that 
outperformed previous encodings. It consists of three types of constraints on the state 
variables representing the possible paths of length k: model constraints, loop constraints 
and LTL constraints. Model constraints |[Af]|^ encode legal initialised finite paths of the 
model M of length k: 

k 

|[M]|, 4^/(so) A /\r(s,_i,s,), 

i=l 

where I{s) is the initial state predicate and T(s, s') is a total transition relation predicate. 
The loop constraints are used to non-deterministically select loops of paths encoded by 
the model constraints. We introduce k+1 fresh loop selector variables lQ,...,lk which 
determine where the path loops. At most one loop selector variable is allowed to be true. 
If Ij is true then sj-i = Sk, i.e., the bit vectors representing the state Sj-i and state Sk 
have bitwise identical values. In this case the LTL constraints treat the bounded path as a 
{k, j)-loop. If no loop selector variable is true then the LTL constraints treat the path as not 
having a loop (the no-loop case). Some counterexamples can be detected at lower bounds 
with the no- loop case (informative safety counterexamples of |KV01j to be exact). The 
loop constraints are encoded by conjuncting the constraints below. Only the loop selector 
variables li require fresh unconstrained variables; everything else can be implemented as 
constraints, i.e., variables that are constrained to be functionally dependent on the other 
variables of the formula. We denote the constraints by \[LoopConstraints]\j^: 



10 



A. BIERE, K. HELJANKO, T. JUNTTILA, T.LATVALA, AND V. SCHUPPAN 



Base 










InLoopg 












(Si_i = Sfc) 


1 <i <k 


InLoopj 




InLoopj_;^ V h, 




InLoopj_]^ 








LoopExists 




InLoopiij 



InLoopi is true if the position i is in the loop part of the path. The loop selector variables 
indicate where the bounded path loops and select either a (A;, j)-loop when Ij hold^ or the 
no-loop case when no Ij holds. In the (A;,j)-loop case the variable LoopExists will be true 
and in the no-loop case it will be false. Finally, the LTL constraints check if the bounded 
path defined by the model constraints and loop constraints is a model of the LTL formula. 
The LTL encoding utilises the fact that for [k, ^)-loops the semantics of CTL and LTL 
coincide, see e.g., |KVOH lTH02j . The intuitive reason is that if each state has exactly one 
successor (i.e., the path is lasso-shaped) then the semantics of the path quantifiers A and 
E of CTL agree. An LTL formula can therefore be evaluated in a lasso-shaped Kripke 
structure by a CTL model checker in linear time by prefixing each temporal operator by 
an E path quantifier |TH02j . which results in a CTL formulao The encoding can be seen 
as a CTL model checker for lasso-shaped Kripke structures based on using the least and 
greatest fixpoint characterisations of U and R. In CTL the until operator £(-01 U ip2) 
can be evaluated by computing the least fixed point E('0i U 11:2) = V {ijji A EXZ) 

while the release operator E('0i R'i/'2) can be evaluated by computing the greatest fixpoint 
E(V'i R'02) = T^Z.il:2 A (-01 V EXZ), see e.g., jCGP99j . The encoding model checks lasso- 
shaped Kripke structures by computing the least and greatest fixpoints for U and R. 

Given a formula we denote by ![(/?] |j the Boolean formula for computing the truth 
value of at position i. To evaluate whether a formula 99 holds in the initial state we 
must generate the formula for Ig. The computation of the fixpoints for U and R is done 
in two parts. The auxiliary translation ((•)) computes an over- approximation for greatest 
fixpoints and an under-approximation for least fixpoints. The approximations are refined 
to exact values by |[-]|. The auxiliary translation ((•)) under-approximates "01 U'02-formulas 
by assuming that V'l U ■02 does not hold in the successor of the end state s^- Conversely, 
■01 R ■02 is over- approximated by assuming that 0i R 02 holds in the successor of the end 
state Sk- Both of these approximations are exact at the loop point j where Ij holds, because 
of the simple looping structure of the models. 

The encoding can be understood as a recursively defined function where there is a case 
for each logical or temporal connective. For propositional LTL formulas the encoding is as 
follows: 



IML: 


< i < fc 




p e L{si) 




P ^ L{s{) 


|[01 A02]|, 


|[0i]|,A|[02]|, 


|[01 V02]|, 


l[0l]l,V|[02]|, 



'There is at most one index j where Ij holds, as otherwise \[LoopConstraints\\f. would be unsatisfiable. 
'Naturally, we could also use the A path quantifier. 
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The encoding for temporal LTL formulas is as follows: 





<i <k 


i = k 


|[X^i]|„ 










i[V'lU7^2]|, 


IMLv(|[^il|,A|[i/.iU^2]|^^J 


IMLv(|[^il 


, A (V,ti A 


UV'^)),))) 


|['/'iRV'2]|, 






U V (V ■=! (O A ({V'l 





The until (release) formulas at k refer to an auxiliary translation {{ipi U V'2))j (((V'l '^2)) j) 
at the loop point j where Ij holds. It computes an approximation of the semantics of until 
(release). If a loop exists this approximation is, in fact, exact for ipi \J ip2 (V'l R'V'2) at the 
loop index j corresponding to the time point A; + 1 in the (/c, j)-loop path. In the no-loop 
case the effect of the encoding at index k is the same as if all subformulas at the index fc + 1 
would be evaluated to _L. 

The auxiliary encoding for temporal LTL formulas is as follows: 





l<i <k 


i = k 




|[^2]|,V(|[V;i]|,A((^iUV^2)),+i) 




((^iRV-z)), 


|['/'2]|.A(|[Vi]|,,V((^iRV'2)),+i) 





Because the semantics of until is a least fixpoint, the encoding of {{1^1 JJ 1^2)) k J^^t 
the simplified form of the expression |[V'2]Ia; V (liV^ill/c ^ -L)> where ((V'l V ^p2))k+l has been 
replaced by _L. Similarly, because the semantics of release is a greatest fixpoint, we have 

|[V'2]|fcA(|[V^i]|,VT)for ((V^iRV2))fc- 

The conjunction of these three sets of constraints forms the full fixpoint evaluation 
encoding of the bounded model checking problem into SAT: 

\[M,tp,k] \ <^ |[M]|j. A \ [LoopConstraints]\^. /\\[tp]\Q. 
We have the following result: 

Theorem 3.1. Given a Kripke structure M and an LTL formula ip, M has an initialised 
path vr such that tt \= ip iff there exists a € N such that the fixpoint evaluation encoding 
\[M,ip,k]\ is satisfiable. In particular, if tt \=k ip then the fixpoint evaluation encoding 
\ [M,ip,k]\ is satisfiable. @ 

Proof. We first prove a stronger result than the second part of the theorem: M has an ini- 
tialised path vr such that vr -0 iff the fixpoint evaluation encoding | [M, tp, k] \ is satisfiable. 
The first part of the theorem follows from this together with the fact that when the bound 
k is increased large enough M \= ^lJ iS M \=f: ip. 

It is easy to see that the model constraints | [M] \ ^ encode all legal initialised finite paths 
vr' of the model M of length k. Now consider the loop constraints \ [LoopConstraints]\^,. As 
in the definition of the semantics of \=k, we have two cases: (a) vr' is a (A;,j)-loop for some 
j inducing an infinite path vr: In this case by setting Ij to true and all other li to false 
the truth values of all other variables in \[LoopConstraints]\^ are uniquely determined, in 
particular LoopExists will be true. Because Sj_i = s^ we can satisfy all constraints in 
\[LoopConstraints]\j^. It is also easy to check that if more than one li variable is true, these 
constraints are unsatisfiable. The second case is: (b) We are in the no-loop case: vr' is 



As immediate corollary minimal length (fc, Z)-loop counterexamples for LTL can be detected. The en- 
coding also detects minimal length informative safety counterexamples for LTL. 
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a finite prefix of some initialised infinite patli vr tlirougli tlie system. The only remaining 
option is that all /j variables are false. Now the truth values of all other variables in 
\[LoopConstraints]\j^ are again uniquely determined, in particular LoopExists will be false. 
Thus all constraints in \[LoopConstraints]\f, are satisfied. 

Consider a satisfying truth assignment of |[M]|^ A \ [LoopConstraints]\i^ inducing an 
initialised infinite path vr. We want to check that it can be extended to a model of the 
full encoding |[M, iff vr 1=^ ip. Because the encoding |[V']lo is just a Boolean circuit, 
the truth value of each of its nodes are uniquely determined by the other variables of the 
encoding, and we will evaluate these values in what follows. 

We will prove by induction on the structure of the LTL formula ip that for all (p G 
d{ijj),0 < i < k: TT* \=k iff is true. In particular, tt \=k tp iff |[V']lo is true. 

The cases where ip is an atomic proposition or its negation are trivial in both cases 
(a) and (b). The same holds for all propositional cases, where the claim holds for the 
subformulas by the induction hypothesis. 

What remains to be proven are the cases where f is a temporal operator. Because the 
encoding of \ [ip]\i for all indices < i < k just uses the one-step identities for LTL formulas, 
the claim holds for all of them provided that for the last index k it holds that ir^ \=k V iff 
M\k is true. 

First consider the easier no- loop case (b): By the above we have that none of the li 
variables is true. In this case we can simplify the encoding by substituting _L for every li 
variable and simplifying the result. After doing this it is easy to check that the encoding 
of Kv'llfc behaves as if tt^^^ ^ tjji for all subformulas G cl{ip). It is now easy to check 
that at index k this matches the definition of the no-loop semantics ^ni for all temporal 
operators, and thus the semantics matches |=ni also for all indexes < i < k. 

Now consider the (A;, j)-loop case (a): Recall that an LTL formula can be evaluated in a 
lasso-shaped Kripke structure by a CTL model checker by prefixing each temporal operator 
by an E path quantifier |TH02j . which results in a CTL state formula. Thus in a (A;, j)-loop 
we need to only consider the truth value of LTL formulas at indexes < i < A:, as the truth 
values for any larger index, for example i = k + 1, can be reduced to evaluating the LTL 
formula at the corresponding state of the model, in this case the loop state i = j. 

By the above we know that Ij is the only loop selector variable which is true, and 
that the subformulas are correctly evaluated for all indices by the induction hypothesis. If 
(p = X-f/^i, the encoding of picks the truth value of ipi from |[V'i]|j corresponding to 

the index A; + 1 in the (A;,j)-loop (recall that Ij is the only loop selector variable which 
holds), and we are done. 

In the case (p = ipiXJ ip2 we have to do a case analysis. First consider case (i): vr* |= 1^2 
for some j < i < k, and therefore vr* \= iJji\J'ip2- Without loss of generality, pick the smallest 
such i. Now clearly at index i the auxiliary translation {{ipi \J ip2))i is true. Because the 
auxiliary translation {{ipi JJ 'ip2))n for indices j < n < i is just the one-step identity of 
until, {{ipi \J ip2))n is true iff vr" \= ipiXJ In particular, at the loop point j we have: 
{{ipi \J 'ip2))j is true iff vr-' \= ipiXJ tp2- Now consider case (ii): vr* Y= -02 for all j < i < k. 
In this case clearly vr-' ^ tpi \J ijj2- It is now easy to check from the definition of the 
auxiliary encoding that {{ipi XJ ip2))n is false for all indices j < n < k. In both cases we 
have {{ipi U ip2))j is true iff vr-' \= ipi\J V'2; and because the encoding of U ^'2]!^ uses 
{{ipi U ip2))j to obtain the value of vr^"*"^ |= ^/^i U ip2, we have vr'^ |= V'l U ^^2 iff |[V'i U ip2]\k 
is true. 
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In the case (p = ipi RV'2 we have to do a very similar (dual) case analysis. First consider 
case (i): vr* ^ '(/;2 for some j < i < k, and therefore tt^ '(/'i R^2- Without loss of generality, 
pick the smallest such i. Now clearly at index i the auxiliary translation {{ipi R'02))j is 
false. Because the auxiliary translation R'02))„ for all indices j < n < i is just the 
one-step identity for release, {{ipi R V'2)).„ is true iff vr" |= 7/;iR-i/'2- In particular, at the loop 
point j we have: {{ipi RV'2))j is true iff tt^ \= 'ipi'Rip2- Now consider case (ii): vr* \= ip2 for 
all j < i < k. In this case clearly tt^ ^ ^/^i R^2- It is now easy to check from the definition 
of the auxiliary encoding that ((■01 Hip2))n is true for all indices j < n < k. In both cases 
we have {{ipi RV'2))j is true iff vr-' \= ipi R02i and because the encoding RV'2]|fe uses 
{{ipi RV'2))j to obtain the value of tt^'^^ \= ipi Iitp2, we have vr'^ |= V'l RV'2 iff Hi^i 1^02] |fc 
is true. 

Thus by forcing the top level formula |[V']lo to be true we get that M has an initialised 
path TT such that vr \=k ip iff | [M, 0, k] \ is satisfiable, from which the full theorem follows. □ 

The encoding has a few desirable properties of which the most important one is that 
when the encoding is seen as a Boolean circuit where the loop selector variables and the 
atomic propositions of the model are input variables, the size of the generated formula is 
0{\I\ + k- \T\ + k- The encoding also has a unique model property in the following sense: 
if the (/c,/)-loop is given (i.e., the computation vr together with the Ij variables are fixed), 
the Boolean circuit representing the LTL encoding has no free variables. Consequently, 
there is no nondeterminism in evaluating the circuit that evaluates the LTL formula, and 
if the encoding is satisfiable the given (A;, /)-loop defines a unique model of the Boolean 
circuit. 

If the loop selector variables, atomic propositions and their negations are seen as inputs 
to the circuit, the circuit for the LTL encoding |[0]|q is monotonic. This can be exploited 
to devise an improved encoding of the Boolean circuit to conjunctive normal form (CNF) 
formulas. A similar optimisation has been presented in the encoding of |FSW02j . 

The original encoding |BCCZ99] and its improved version [CPRS02] both result in for- 
mulas that are at least quadratic w.r.t. k. Frisch et al. |FSW02j have presented an alternative 
encoding based on normal forms for LTL. This so-called fixpoint encoding is more efficient 
than previous attempts, but it produces formulas that are non-linear w.r.t. k |LBH J04] . An 
improved version of the fixpoint encoding, which includes a generalisation to PLTL, is linear 
w.r.t. k but does not provide minimal length counterexamples for PLTL formulas |CRS04j . 
Note, that |CRS04j contains an ambiguity in its description that may lead an implementa- 
tion choice that results in wrong handling of formulas containing past temporal operators. 
For details see Sect. [5j The normal form used in the fixpoint encoding |FSW02j is similar 
to tableau methods for constructing a symbolic Biichi automaton representing an LTL 
formula 0. It is also possible to do BMC by applying the automata theoretic approach and 
symbolically encode a product system M x A^^ |dMRS02l ICKQSOSj . BMC is performed 
by searching for fair loops in the product system. This approach produces a linear size en- 
coding if the search for fair loops is encoded with an encoding such as |CPRS02t ILBHJ04] 
that can encode GFp in linear size. Since this method only searches for looping coun- 
terexamples, it must sometimes go deeper than other methods also accepting no- loop safety 
counterexamples . 

See |HN03] for earlier work on linear size bounded model checking encodings for LTL 
employing logic programs with the stable model semantics instead of using SAT. This work 
does not directly give us a linear size SAT encoding because the best known automatic 
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translation from logic programs with the stable model semantics into SAT are super-linear 
(roughly 0{nlog2n)), see j Jan04j . 

3.2. BMC for LTL with Eventualities. An alternative approach to encoding semantics 
of LTL formulas is to use an eventuality encoding, which in the loop case requires that for 
each until formula ipi U 'ip2 the right hand side formula "02 holds at some point in the loop 
(and dually for release). The main idea for until formulas is to first evaluate whether the 
eventuality formula F ■iIj2 holds in the last state k, and use this knowledge to evaluate the 
value of the main encoding. If we know that F 'ijj2 does not hold at k, then surely ipi U 1^2 
cannot hold at k either. In all other cases the one-step LTL identities actually evaluate 
the bounded LTL semantics correctly. A dual construction is applied for release formulas. 
This idea above enables one to replace the auxiliary encodings of until and release with 
simpler ones, but at the same time the encoding becomes a set of Boolean equations with 
cyclic dependencies between variables instead of a Boolean circuit where no such cyclic 
dependencies exist. Having cyclic dependencies allows for a slightly smaller encoding but 
in our opinion makes the approach a bit harder to understand. 

The eventuality encoding is quite similar to the fixpoint evaluation encoding, so only 
the LTL part of the new encoding will presented. The encoding is no longer defined as 
a recursive function over the LTL formula but as Boolean constraints over the so called 
formula variables which are fresh unconstrained propositional variables. There is a 

variable \ [ip]\^ for every subformula <p £ cl{ip) and for all < i < A: + 1. The interpretation 
of is still that it is true iff (p holds at position i in the model. For propositional LTL 
formulas the encoding is as follows: 





{)<i<k + l 


Pi 


\[p\\,<^peL{s,) 


^Pl 




4>l A -02 


\VPl/\M\^^\VPl]\^f\\[M\^ 


V'l V -02 


|[V^lVV^2]|,^|[Vl]|,V|[V^2]|, 



The encoding for the temporal subformulas is changed to the following (the only thing that 
changes is the encoding at index k): 





< i < fc 




|[X^i]|,4=^|[^i] 






V'l U ^"2 


|[V'iUV2]|,^IMI,v(|[0i]|, 






■01 R V2 


|[^iRV2]|,^IMI,a(|[0i]|, 




^iRV'2]|,+i) 



To compensate for the change at index k we will for each subformula ip € cl{ip) add the 
following constraints \[LastStateFormula]\^: 



Base 


-^LoopExists ^ {\Vp\\k+i ^ ^) 


1 < i < fc 


U (IMIfc+i ^ IMI,) 



The constraints state that if there is no loop, all formula variables at index k + \ should 
evaluate to _L. This is the same as in the fixpoint evaluation encoding and results in 
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the no- loop case in the the bounded LTL semantics. For the case when a loop exists, 
the added constraints force all formula variables at index A; + 1 to get their values from 
the loop point j, where Ij holds. Note that this can create a cyclic dependency between 
variables in the Boolean equation system as \ [^p]\j can depend indirectly through the states 
j + 1, j + 2, . . . , k — 1, k on the value of which is constrained to be equal to \[(p]\j 

itself. 

The reader might be puzzled why the \[LoopConstraints]\f^ contains constraints of the 
form: li =^ = s^) while \[LastStateFormula]\f^ contains analogous constraint with off- 
by-one indices: k =^ <^ \ This is an optimisation which allows detection 
of no-loop safety counterexamples one unrolling of the system transition relation earlier. 
This optimisation (used also in |FSW02l IBC031 ILBHJ041 ILBHJOSllHJLOS]) could easily be 
undone changing the loop shape of {k, Z)-loops to match that of |BCRZ99] and requiring: 

|[M]|^ <^ /(so) A /\i^T{si-i,Si) and k ^ {s^ = sj^^), thus bringing the system and 
formula indices back to synch. 

There is still one final piece missing because the encoding as it stands so far has models 
which do not agree with the semantics of LTL. The constraints introduced so far allow the 
case where | [ipi U -1^2] \ is true at all indices of the loop even if | [1^2] \ is true at no index of the 
loop (this can happen when \ \ is true at all indices of the loop). This clearly violates the 
semantics of until and needs to be taken care of. In such a case the SAT solver has found 
a solution for the evaluation of the cyclic dependencies between until variables mentioned 
above, but this solution is not the required least fixpoint solution (see also discussion on 
this topic in Sect. 12. ip . For release formulas the situation is less severe. It can be the case 
that I [^^2] I holds at all indices of the loop but | R 7/^2] I holds in no index. This is not fatal 
in the sense that in this case the semantics of release have been under-approximated (as 
is also done by the no-loop safety case). In addition, the encoding has a satisfying truth 
assignment where the semantics of release is, in fact, evaluated correctly. 

To disallow assignments as described above, where the eventualities of until and release 
are not fulfilled, we use a set of auxiliary constraints for until and release subformulas. The 
constraints perform a similar function to the auxiliary encoding of until and release in the 
fixpoint encoding. In the table below {{(p))^ are new auxiliary formula variables used by the 
constraints. 





f 




Base 


V'l U?/'2 


LoopExists ^ (|[07i U0;2]|fc ^ ((F02))fe) 




■01 R ■02 


LoopExists ^ (|[01 R02]|fc <= ((G072))fe) 




01 U02 


((F7^2))o^^ 




01 R02 




I <i <k 


01 U02 
01 R02 


{{Fyj^)), ^ ((F02)),_i V (InLoop, A |[02]|,) 
((G02)), ^ ((G02)),_i A (-InLoop, V |[02]|,) 



We use the names ((F ^l>2))i and ((G ■02))j ^or the auxiliary variables because it describes the 
function of the constraints well. The constraint LoopExists =^ {\[tpi U^02]|fc =^ {{^i^2))k) 
intuitively ensures that in the loop case if tpi U V'2 holds at k, then there is some index 
in the loop where ip2 holds. This is quite similar to, but not technically identical to, the 
use of Biichi acceptance sets for ensuring the correct semantics for until, as will be shown 
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later. The encoding for release is only required to get the exact LTL semantics for release 
formulas. The constraint LoopExists =^ {\[tpi R-V'2]|fc ^ ((GV'2))fc) could be safely dropped 
if we allow the satisfying models of the encoding to safely under-approximate the bounded 
semantics instead of exactly capturing itH Dropping the auxiliary constraints could also 
be done for the fixpoint encoding of Sect. 13.11 by adding \[LastStateFormula]\f, constraints 
for release subformulas. The intuitive idea of the auxiliary encoding is that if a loop exists, 
((F?/;2))fc ({(GV'2))fc) is the evaluation of the formula F'i/'2 (G'i/'2) at vr'^. 

We denote the constraints on the formula variables and the auxiliary variables above 
with \[EventuallyLTL]\i^. The conjunction of these four sets of constraints and requiring 
that the formula holds in the initial state forms the full eventuality encoding of the boun- 
ded model checking problem into SAT: 

\[M,'ilj,k] \ ^ |[M]|j. A \ [LoopConstraints]\^. A \ [LastStateFormula]\ ^ A \ [EventuaUyLTL]\^ A \ [tp]\Q. 

Theorem 3.2. Given a Kripke structure M and an LTL formula ip, M has an initialised 
path IT such that vr ^ iff there exists ak gN such that the eventuality encoding \ [M,tp,k]\ 
is satisfiable. In particular, if tt \=k ip then the eventuality encoding \ [M,il:,k]\ is satisfiable. 

Proof. We proceed similarly to the proof of Thm. 13.11 and will only give the changes to 
the proof needed to reflect changes in the encoding. The only changes are the encoding 
of temporal subformulas at index k, the use of proxy variables the new auxiliary 

encoding {[Eventually LTL]\f^, and the new \ [LastStateFormula]\i^ constraints. 

We will now prove by induction on the structure of the LTL formula ip that the even- 
tuality encoding is satisfiable and for all <p € c/('i/'),0 < i < k: vr* \=k if iff in the unique 
satisfying truth assignment of the eventuality encoding \[<^]\^ is true. 

First consider the no- loop case (b): In this case, because LoopExists is false, it is easy 
to see that the new \[LastStateFormula]\^ constraints will force the proxy variables 
to _L, and the encoding becomes exactly the same as in the fixpoint encoding case and thus 
has a unique satisfying truth assignment. Also the new auxiliary encoding constraints will 
lead to a unique satisfying truth assignment as as LoopExists is false. 

Now consider the (fc,j)-loop case (a): Recall from the proof of Thm. 13.11 that in a 
(A;,j)-loop we need to only consider the truth value of LTL formulas at indexes < i < A;, 
as the truth values for any larger index, for example i = A; + 1, can be reduced to evaluating 
the LTL formula at the corresponding state of the model, in this case the loop state i = j. 

By earlier analysis we know that Ij is the only loop selector variable which is true, 
and that the the encoding for all subformulas are correctly evaluated for all indices by the 
induction hypothesis. In this case the \[LastStateFormula]\f^ constraints are satisfiable and 
uniquely set the value of the proxy variable |[v3]|^_,_]^ for every subformula (/? G d{ip) to be 
equivalent to the value of the subformula at the loop point j, namely Therefore we 

do not need to consider the index i = k + 1 in our proofs provided that the index i = j is 
evaluated correctly. 

If ip = X'i/^i, the encoding differs from the fixpoint evaluation encoding only at the 
index k. The encoding of \['p]\f^ together with \ [LastStateFormula]\i^ picks the truth value of 
■01 from |[V'i]|,Y corresponding to the index /c + 1 in the {k,j)-loop (recall that Ij is the only 



This is similar to the fact that most LTL to Biichi automata translations do not employ acceptance sets 
for release. 
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loop selector variable which holds), all constraints are satisfiable in a unique way, and we 
are done. 

For until and release formulas our proof strategy is the following. We first prove that if 
there is a satisfying truth assignment then it must for the end point n = k have the property 
that tt" |=fc ip iff \['p]\n is true. After this we observe that for both until and release formulas 
the following holds: the truth assignment that matches the bounded semantics of LTL for 
all indexes is satisfiable. We will simultaneously prove uniqueness by noting that any truth 
assignment which matches the bounded semantics of LTL at the index n = k will force all 
other variables of the truth assignment to a unique value that matches the semantics of 
LTL for all indexes, and also satisfies the auxiliary encoding in a unique way. This is the 
case because when the truth value of is fixed, for all other < n < /c the formula 

\W\\n ^^^^ obtain a truth value in a functional way based on the value of matching 
the bounded semantics of LTL. Also the encoding of \['-p\\]^ is satisfiable, as it matches the 
bounded semantics of LTL, and | [y?] matches the value of \ ['-p\\j at the loop point j. The 
auxiliary encoding also has a unique satisfying truth assignment as the auxiliary encoding 
contains no cyclic dependencies. 

In the case = U "02 we have to do a case analysis. First consider case (i): vr* \= 'ip2 
for some j < i < k. Without loss of generality, pick the smallest such i (intuition: the cyclic 
dependency over until subformulas is broken at index i). Clearly at index i the auxiliary 
translation ((F^/;2))j is true. Because of this, the auxiliary translation ((F^2))yfc is true, and 
the corresponding auxiliary translation Base constraint is satisfied. Therefore, vr* \= 
and |['i/'i U V'2]|j is also true. Because the encoding follows the one-step identity of until we 
also get for all j < n < i: {[tpi U tp2]\n iff "^"^ N V'l U ■02) and from encoding at k together 
with \[LastStateFormula]\j^ that [['i/'i U'i/'2]|fc iff tt'^ \= ^pl\J 'ip2- Thus we have established 
that for all indexes j < n < i and n = k the encoding matches the semantics of LTL, 
and because of this and our proof strategy, the encoding has a unique satisfying truth 
assignment that matches the semantics of LTL for all < n < fc. Now consider case (ii): 
V'2 for all j ^ i 1^ k. In this case the auxiliary translation ((F'02))fc is false. We 
have that vr^ ^ ^/^i U ^^2 ) and if we set | [ipi U 1^2] \ k be true then the auxiliary translation 
Base constraint is not satisfied. Therefore we must set [[V'l U'(/'2]|fc to false (intuition: the 
cyclic dependency over until subformulas is broken at index k) which matches the bounded 
LTL semantics of until at n = A; and also satisfies the auxiliary constraints. By our proof 
strategy all other indices < i < A; have a unique satisfying truth assignment obtained 
from the one-step identity of until based on \\ipi U ip2\\k matching the semantics of LTL, 
and also leading to the satisfaction of the constraints \[LastStateFormula\\f^. In both cases 
(i) and (ii) we have for all < n < /c that vr" |= t/'i U ^2 iff in the unique satisfying truth 
assignment |['i/'i U'i/'2]U is true. 

In the case = ■0i R ^2 we have to do a very similar (dual) case analysis. First 
consider case (i): vr* ^ ?/'2 for some j < i < k. Without loss of generality, pick the smallest 
such i. Now clearly at index i the auxiliary translation {{Gip2))i is false. Because of this, 
the auxiliary translation ((G'i/'2))fc is false, and the corresponding auxiliary translation 
Base constraint is satisfied. Hence vr* ^ ipi R ■02) and {[ipi RV'2]|j is also false. Because 
the encoding follows the bounded LTL semantics of release we also get for all j < n < i: 
\[ipi RV'2]|„, iffvr" \= ipi'R.tp2, and from the encoding at A: together with \ [LastStateFormula]\j^ 
that I ['01 R'i/'2]|/; iff tt'^ 1= "01 ^^2) and we can proceed similarly to the until case. Now 
consider case (ii): tt* |= -02 for all j < z < A:. In this case the auxiliary translation {{Gip2))k 
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is true. We have that tt^ ^ R'02, and if we set Hipi R il^2]\k to be false then the auxiUary 
translation Base constraint is not satisfied. Therefore we must set |[V'iR'02]|fc to true, 
satisfying the auxiliary constraints, and we can proceed similarly to the until case. In both 
cases (i) and (ii) we have for all < n < A: that tt*^ ^ ■0i R -02 iff in the unique satisfying 
truth assignment \[tpi R^/'2]|„ is true. 

Now proceed similarly to the proof of Thm. l3.1l to complete the proof. □ 

The eventuality encoding has the unique model property in a very similar sense as 
the fixpoint evaluation encoding: after fixing the loop point and the valuation of atomic 
propositions at all time points there can only be a unique valuation of the variables of 
the encoding that satisfies all the constraints. However, this cannot be explained by the 
fact that the encoding is a Boolean circuit (it is not, as it contains cyclic dependencies 
between variables); it follows from Thm. 13.21 that all the formula variables of the encoding 
are uniquely determined by the bounded semantics of LTL. 

There is some similarity with the separated normal form (SNF) encodings of |FSW02( 
ICRS04j for BMC and the eventuality encoding presented here in the sense that the SNF 
encodings first split a (strong) until to a conjunction of a weak until and an eventuality 
formula, and use this to devise the BMC encoding for all time steps. We instead use the 
eventuality formula to evaluate the correct value for the (strong) until formula at the last 
state k only. 

3.3. BMC for LTL with Biichi Automata. The knowledgeable reader has certainly 
noticed the close correspondence between our eventuality encoding and the use of Biichi 
automata symbolically implementing the tableau construction |LP85j for LTL model check- 
ing, such as [BCM+921 ICGH971 IKPR981 ISchOlj . Wolper, Va rdi and Sistla we re the first 
to show how to compile LTL directly into Biichi automata |WVS831 IVW94| . Gerth et 
al. |GPVW9"5] suggested an algorithm that produces smaller automata. It has subsequently 
been improved by a number of authors |Cou99l IDGV991 ISBOOl lEHOOi IGOOll IGO031IST03] . 
These improved versions are used today mainly in explicit-state (e.g., SPIN |IIol03j ) but 
also in some symbolic model checkers (e.g., VIS jVIS96| ). 

In symbolic treatment of LTL, a compact symbolic representation of the automaton has 
mostly been preferred to a small number of states. Biichi automata for that purpose are 
usually symbolic implementations of the tableau construction in [LP85j . A first application 
of the tableau in symbolic context is given by Burch et al. (BCMZH]; for proofs and an 
experimental evaluation see |CGH97j . A self-contained presentation of symbolic model 
checking of LTL with past can be found in |KPR98j . Schneider exploits the temporal 
hierarchy for further optimisations [SchOlj . 

Another consideration is the depth at which the verification procedure stops. A tight 
Biichi automaton is required to accept shortest witnesses |SB05l ISch06[ IKVOlj . Biichi au- 
tomata constructed with an algorithm based on |GPVW95] typically fail this criterion; 
methods based on |LP85j such as [BCM+92[ ICGII97j fulfil it for the future fragment 
only |SB05t ISch06| . In Sect. 15.21 we apply the idea of virtual unrolling (see Sect. 15. ip 
to Biichi automata to obtain a Biichi automaton with a small symbolic representation that 
is tight for PLTL. On the other hand, Awedh and Somenzi [AS06j showed experimen- 
tally that bounded model checking with constructions based on |LP85j often lead to larger 
termination depths than with those based on |GPVW95] if the property holds |AS06| . 
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Following the automata-theoretic approach |VW86] . Biichi automata are employed for 
bounded model checking of infinite state systems in de Moura et al. |dMRS02] . instead 
of using a dedicated encoding. Clarke et al. employ Biichi automata to obtain complete- 
ness bounds for arbitrary w-regular properties |CKOS05] . Awedh and Somenzi present a 
complete bounded model checking procedure based on such an encoding |AS04l IAS06j . In 
Sect.[8]we report on experiments comparing the performance of a dedicated encoding with 
the automata-theoretic approach in bounded model checking. Below we first slightly modify 
the eventuality encoding to obtain an encoding along the lines of jBCM"'"92l ICGH97] . This 
approach is then generalised to show how to encode emptiness checking of the product of a 
model with an arbitrary Biichi automaton. 



3.3.1. Modifying the Eventuality Encoding. Only minor changes are needed to obtain a 
Biichi automata-based LTL encoding from the eventuality encoding. For every until and 
release subformula we introduce new auxiliary variables {{Acc{-))) ■. The auxiliary even- 
tuality encoding needs to be replaced by the auxiliary Biichi encoding defined as follows: 







1 < i < fe 


Base 


^1 U tp2 


LoopExists ^ {{Acc{tpi U V'2)))fc, {{Acc{ipi \Jtp2)))o^ 1- 
LoopExists {{Acc{Tpi R^2)))fe, {{Acc{ipi R V'2)))o ^ ^ 




Ipl U V'2 
Ipl R V'2 


((4cc( V^i UV2))), ^ ((^cc(t^i U^2))),_i V (inLoop, A (|[V'2]|, V ^[[V^i U ^2]!,)) 
((Acc(V'i RV2)», ^ {{Acc{i,^R^2)}),_, V (inLoop, A (^|[V2]|, V | [V'l R V'2]!,)) 



We denote the full set of modified LTL constraints with \ [BiichiLTL]\j^ The conjunction of 
the five sets of constraints forms the full Biichi encoding of the bounded model checking 
problem into SAT: 

|[M, ?/>, fc]| <^ |[M]|^ A \ [LoopConstraints]\^ A \ [LastStateFormula]\^. A \ [BiichiLTL]\^. A 



By comparing to the general Biichi encoding on (k, /)-loops below, it is easy to see 
that our Biichi encoding is nothing else than an emptiness checker for a symbolic Biichi 
automaton following [BCM"'"92 ICGH97] . The initial state predicate |[V']lo requires the top 



level formula to hold at the initial state, the symbolic transition relation is given by the 
encoding rules for propositional and temporal operators, and acceptance sets are defined by 
the auxiliary translation as follows. For each until formula -01 U ip2 we add an acceptance 
set F^j^u^^ into which the states satisfying |[^2]|j V -'|[V'i UV'2]li belong to, and for each 
release formula ipi R tjj2 we add an acceptance set -F^^r^j ^^^o which the states satisfying 
-|[V'2]|,V|[V'iR'02]li belong to. 

Theorem 3.3. Given a Kripke structure M and an LTL formula tp, M has an initialised 
path IT such that tt \= ip iff there exists a k £ 'N such that the Biichi encoding |[M, ■0,A;]| is 
satisfiable. In particular, if tt \=k ip then the Biichi encoding \ [M,'ilj,k]\ is satisfiable. 

Proof. We prove that the auxiliary eventuality encoding is satisfiable iff the auxiliary Biichi 
encoding is. The claim then follows from Thm. 13.21 

We only show that LoopExists ^ {{[(pi U V'2]|fc =^ ((^'02))^) is satisfiable if and only if 
LoopExists ^ {{Acc{ipi U ip2)))k is satisfiable. The proof for R is similar. 

The case -iLoopExists is clear. Hence, assume LoopExists is true. We start with 
the direction from left to right. First, let {{Fip2))k be true. There must be < i < A: 
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such that InLoopj A |['02]|j is true. This immediately gives that {{Acc{ipi \J ip2)))i and also 
{{Acc{tpi UV'2)))fc is true. Now, let -^\[ipi \J ip2]\k be true. With LoopExists InLoop^ we 
have {{AcciipiV 'il'2)))k- 

For the other direction assume {{Acc{'tpi \J 1^2)))^ is true. Hence, there exists < i < /c 
such that InLoopj A (|['02]|j V U ^2]|j) is true. If InLoop^/ A |[V'2]|j/ for some i' we have 
{{Fip2))f/ and, therefore, {{F7p2))f,- Otherwise, there is < i' < k such that InLoop^/ A 
U ^2]|j'- By definition of the encoding for U we obtain InLoop^- ^ U ip2]\j for 

all < j < i' and, via U V'2]|fc+i, U ^2]!^. □ 

Notice that the Biichi encoding above also generates no-loop safety counterexamples. 
It also has the unique model property unlike in most other Biichi automata constructions 
which do not employ acceptance sets for release formulas. The unique model property 
allows us to read the exact bounded semantics for all LTL subformulas and all time indexes 
considered directly from the truth assignment given by the SAT engine. As in the other 
encodings, if the unique model property is not of interest to us, we can do what most other 
Biichi automata constructions do and drop the constraint LoopExists =^ ((j4cc(^i R'02)))fc 
and the auxiliary translation for release to obtain a slightly smaller encoding. 

3.3.2. General Approach. The above approach can easily be generalised to obtain an en- 
coding to check existence of an initialised fair path in a fair Kripke structure. If M = 
{S,T, I, L, F = {Fq, . . . ,Ff}) is a fair Kripke structure, it is sufficient to extend the loop 
constraints with the following Biichi loop constraints: 





< TO < / 


Base 


LoopExists ■<=> T 




LoopExists =^ {{Accm))f; 




{{Acc,n))o ^ ^ 


1 < i < fc 


{{Acc,n)), ^ ((Acc„,))j_i V (LiLoop, A e F,„) 



For each acceptance set Fm an additional constraint {{Accm)) is introduced to check satis- 
faction of Fm in the loop. Hence, the following conjunction forms the general Biichi encoding 
of the bounded model checking problem into SAT: 

\[M, k]\ A \ [LoopConstraints]\i^ A \[BilchiLoopConstraints]\f.. 



Theorem 3.4. Given a Kripke structure M , M has a fair {k, l)-loop vr for some < I < k 
iff there exists a /c G N such that the general Biichi encoding \ [M, k] \ is satisfiable. 

Proof. First we show that if | [M, k] \ is satisfiable then M has a fair loop. Assume | [M, k] \ is 
satisfiable for some k. Fix an arbitrary satisfying assignment. As LoopExists is true, there is 
a unique < / < fe such that li is true. It follows that s/_i = s^. Hence, sq . . . si-i{si . . . Sk)'^ 
is an initialised (A;,/)-loop in M. Further, the loop is fair, as for each acceptance set Fm, 
< m < / there is some < j < k such that InLoopj is true and sj G Fm- 

In the second case let M have a fair loop. We need to prove that |[M, k]\ is satisfiable 
for some A; S N. Assume vr = sq . . . s;_i(s/ . . . Sk)^ with si-i = Sk is a fair loop in M. For 
each < m < f there is I < im 1^ k such that Sj^ € Fm- With sq . . . Sk, LoopExists 44> T, 
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k <^ i = I, InLoopi <^ i > I, and {{Accm))^ 44> z > im for all < m < / we obtain a 
satisfying assignment for | [M, k]\. □ 

Note that the above variant only considers looping witnesses, as is often done in the 
automata-theoretic approach to model checking of LTL. Finite (no-loop) witnesses to safety 
properties help, as they do not need to close a loop, focus attention on that part of an infinite 
path that is most relevant for violation of a safety property. In addition, minimising a no- 
loop witness to a safety property minimises the distance between an initial state and the 
actual point of violation. In contrast, minimising a looping witness just minimises the 
total length of the looping path, regardless of where the property fails. To also obtain finite 
witnesses, M can be given as the product of the model, a Biichi automaton accepting looping 
witnesses, and an automaton on finite words accepting finite witnesses to the property. 

4. LivENESS Checking as Safety Checking 

While verification of safety properties can be handled using (simple) reachability check- 
ing, verification of liveness or, more generally, w-regular properties requires detection of fair 
loops. Traditionally, loop detection is an integral part of the search algorithm |LP851IVW861 
IEL87| . Bounded model checking has to pull the algorithm out of the search procedure, i.e., 
the SAT solver, by making it part of the propositional formula submitted to the SAT 
solver |BCCZ99] . Building on that, we below present an approach that fully integrates loop 
detection into the model. 

The liveness-to-safety transformation takes a fair Kripke structure M and transforms 
it into another Kripke structure such that there is an initialised fair path in M iff 
a certain set of states is reachable in M^. This method makes techniques available for 
arbitrary w-regular properties that have only been applicable to safety properties so far. 
It has already proven to be useful as a method to find shortest looping counterexamples 
with a BDD-based model checker |SB05j . and to extend SAT-based interpolation [McM03j 
and large-scale directed model checking |EJ06j to w-regular properties. On selected exam- 
ples, an exponential speedup can be observed compared to traditional BDD-based model 
checking [SB04j . Still, because of its impact on the size of the state space (see below), 
this approach may in many cases not be able to replace dedicated methods for verifying 
cj-regular properties. In Sect. [8] we evaluate experimentally how invariant checking of a 
transformed model performs in comparison to dedicated encodings for PLTL properties. 
The liveness-to-safety transformation was originally proposed in [BAS02j and has been fur- 
ther developed in |SB04t ISB06t ISch06| . Bouajjani et al. independently applied the same 
technique in the context of regular model checking |BIIV04j . The presentation below con- 
tains no new results, but deviates from previous work to emphasise similarities with the 
bounded model checking approach at the core of this paper. 

4.1. Transformation. A typical modelling language of a model checker allows only access 
to the current and next states of a path. It is not directly possible to ask whether the 
current state has been seen before, thus preventing a loop check in the model. On the 
other hand, a bounded model checker has all states of the current path available on the 
propositional formula level. Hence, in the latter situation the loop check is easy. The key 
idea of the transformation is now to augment the model M with a second instance of the 
state variables to hold a copy of one previously seen state of M. This avoids storing every 
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Figure 2: Formal definition of the liveness-to-safety transformation 

state of a (then necessarily bounded) path. Triggered by an oracle, the augmented model 
then at some point of a forward exploration guesses the loop start and records that 
guess in the second instance of the state variables of M. Once the guess has been made, 
the forward search proceeds as if moving forward from time point / to A; in a witness for 
a bounded model checker: record which acceptance sets have been visited (M^ contains a 
corresponding set of flags), and, once all of them have been visited, try to close the loop by 
comparing the current state with the recorded guess. 

Formally, the transformation is defined in Fig.[2l Let M = (S, T, I,L,F = {Fq, . . . , Ff}) 
be a fair Kripke structure. Assume, its state space S is made up of a single state variable 

V with range 5. We construct = {S^ , , L^) as follows. The set of state variables 
in consists of v, v, Ig, InLoop, LoopClosed, and, for each acceptance set Fm, {{AcCm))- 

V and V have range S, all other variables are Booleans. S^, and are the maximal 
subsets of 5 X S* X X B'^+^, 5*^ x S^, and S^, respectively, which fulfil the constraints in 
the following table. is L extended with LoopClosed: L^(s^) = L{s) if -iLoopClosed(s^), 
L(s) U {LoopClosed} otherwise. 

The original instance of the state variables, v, is subject to the same constraints in 
as in M (lines 1-3). For example, if £ S^, then it must also be the case that v{s^) S S. 
Similarly, (s^,s^ ) G only if {v{s^),v{s^ )) € T. v is the second instance of the state 
variables. When the oracle becomes true, the loop start is guessed by recording the 
previous value of v in v (line 8). InLoop then becomes and remains true to signal the fact 
that the loop has been started (line 6). It prevents 4 from becoming true for a second time 
(line 7), which, in turn, ensures that the recorded value in v will not be overwritten (line 
8). When InLoop is true, visiting an accepting set F^ is recorded in {{AcCm)) (hue 10). 
LoopClosed can finally become true to signal that a fair loop has been found when is 
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in the loop, all acceptance sets have been seen, and the valuation of the original instance of 
the state variables, v, is equal to the guess kept in -0 (lines 11-13). 

Note the similarity with the encodings for bounded model checking presented in Sect.[3j 
Lines 4-7 and line 11 correspond to the loop constraints. Lines 9, 10, and 13 are equivalent 
to the part of the general Biichi encoding that handles acceptance sets. LoopExists has 
been renamed to LoopClosed to emphasise that there is no implication from InLoop to 
LoopClosed and LoopClosed is present in each state while there is only a single instance of 
LoopExists in BMC. li has been turned into oracle /g, i.e., rather than indicating that a 
loop exists between states with index I — 1 and fc, it triggers saving the previous value of v 
in V. The corresponding check for equality of v and v has been shifted to LoopClosedH 

Theorem 14.11 states correctness of the construction. 

Theorem 4.1. Let M = (5, T, I,L,F = {Fq, ... , Fj}) be a fair Kripke structure, let 
be defined as above. M has an initialised fair path vr iff some state s^ is reachable in 
such that LoopClosed(,s^) is true. 

Proof. For simplicity, we restrict the proof to a single acceptance set Fq. Generalisa- 
tion to multiple acceptance sets is straightforward. States in are written as tuples 
(f, t), 4, InLoop, LoopClosed, ((Accq))). Further, it is sufficient to prove the following bi- 
implication |VW94j : 

Btt = (so ■ ■ ■ •s;_i)(s; . . . Sm ■ ■ ■ Sk)^ initialised fair path in M 
with A; > m > / > A S;_i = A S;, . . . , Sm-l ^ Fq A Sm G Fq 

<^ 

3s^ reachable in such that LoopClosed(s^) <^ T 

"=^>" Let vr = (so . . . . . . Sm ■ ■ ■ Sfc)'^ be an initialised fair path in M with k > m > 

I > 0, = Sfc, si, . . . , Sm-i ^ Fq, and Sm G -^0- Clearly, for arbitrary sq S 5, 
(so. So, -L, -L, -L, -L) . . . So, -L, -L, -L, -L) is an initialised finite path in M^. We 
extend that prefix to reach a state sf with LoopClosed(s|) T by distinguishing 
four cases: 

(1) k = m = I: Set s^ = = sf to (s^, Si_i, T, T, T, T). 

(2) k = m > I: Proceed from sf = (s;, s;_i, T, T, _L, _L) via 
(si+i,sz_i,_L,T,_L,_L)...(sfc-i,s«-i,-L,T,_L,_L) to = s| = 
(sfc,Si_i,_L,T,T,T). 

(3) k > m = I: Continue from sf^ = sf = (s;, s^^i, T, T, _L, T) via 
{si+i, si-i, _L, T, _L, T) . . . (sfc-i, si-i, _L, T, _L, T) to sf = {sk, sz_i, _L, T, T, T). 

(4) k > m > I: Combine cases (2) and (3) to obtain 

{si, si-i, T, T, _L, _L)(sz+i, sz_i, _L, T, _L, _L) . . . (s,n-i, -L, T, _L, _L) o 
o {sm, si-i, _L, T, _L, T) . . . {sk-i,si-i, _L, T, _L, T)(sfc, si-i, _L, T, T, T) 

"<^=" Let s^ be a reachable state in with LoopClosed(s^) 4^ T. Hence, there is an 
initialised finite path tt^ that ends in s^. Let vr^ = Sq . . . be the prefix of tt^ such 
that sf is the first (and only) state in vr^ with LoopClosed(s|) 44> T. By definition 
of M^, InLoop(sf ) ^ T, v{sf) = v{sf), and {{Acco)){sf) ^ T. Further, InLoop 

'^We state without proof that for a fair {k, l)-\oop tv there is an initiaUsed path in the transformed model 
and a satisfying assignment of the general Biichi encoding such that the valuations of Is, InLoop, and 
{{AcCm)) coincide on corresponding indices of the path. 
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starts off false at Sq, switches to true when Ig becomes true at some index I > 0, 
and remains true up to sf. Note, that Is is true only at index / > 0. This ensures, 
that V contains an arbitrary v{sq) from index to / — 1 and t'(sp_]^) from index I 
onward. Thus, we have v{sf) = v{sf) = v{sf) = v{sf_i). {{Accq)) also is false 
initially and changes at some index I < m < k to true to remain there up to index 
k. From the definition of {{Accq)) we have v{sf^) G Fq and yi < i < m : v{sf) ^ Fq. 
It follows that, depending on the values of k, m, and i, vr^ corresponds to one of 
the shapes (1) - (4) outlined in the first part of the proof. By the construction of 
M^, in all cases vr' = sq . . . si . . . Sm ■ ■ ■ Sk = v{sq) . . . v{sf ) . . . v{s^) . . . v{sf ) is an 
initialised finite path in M with = s^, s/, . . . , Sm-i Fq, and Sm G -^^o- Hence, 
IT = (sq . . . si^i){si . . . Sm ■ ■ ■ Sk)^ is an initialised fair path in K as desired. □ 

The following immediate corollary enables using methods such as [SSS00^rES03t[McM03t 
lAFF^OS] to obtain a complete bounded model checking procedure for PLTL: 

Corollary 4.2. Given a fair Kripke structure M , M has an initialised fair path vr iff there 
exists a k such that |[M^]|^ A LoopClosed(s|) is satisfiable. 

The liveness-to-safety transformation roughly doubles the number of state variables in 
the model. It can be shown that, with a small modification of the way acceptance sets are 
handled, radius and diameter of increase only by a small, constant factor |Sch06| . If 
forward breadth- first search is used for reachability analysis of M^, the proof of Thm. 14.11 
implies that a shortest fair looping path in M is found. If M is the product of a model 
M and a tight Biichi automaton B for some property tp, that implies that the path is a 
shortest witness with respect to in M. 

4.2. Optimising the Transformation. 

BDD Variable Order. If a BDD-based model checker is used to determine reachability in 
a transformed model it is important to use a variable order that interleaves the Boolean 
variables making up s and s^. Otherwise the sizes of the BDDs representing may 
explode [SB04] . 

Variable Optimisation. The overhead induced by the transformation of M into mostly 
stems from the additional instance of the state variables of M present in M^. Hence, leaving 
some of M's state variables out of loop detection might reduce that overhead. Kroening 
and Strichman proved in the context of bounded model checking that input variables can 
be ignored when computing the recurrence diameter for simple liveness properties of the 
form Fp |KS03j . Een and Sorensson |ES03j use the same idea in temporal induction for 
safety properties in incremental BMC. We show below that this idea can be extended to 
the liveness-to-safety transformation. 

We call a state variable Vi a transition input variable iff its value in the next state, x-, 
is not constrained by its value in the current state, Xi, and the values of other variables in 
the current and next state: if {{xo,xi, . . . , Xi, . . .), {x'q, x'l, . . . , x-, . . .)) is a transition in T, 

then, for all x'^ in the range of Vi, {{xo,xi, . . . , Xj, . . .){x'q, x[, . . . , x'^, . . .)) is also in T. 

A state variable Vi is irrelevant for fairness iff its value Xi does not influence whether a 
state is in an acceptance set or not: for all acceptance sets Fm, for all ViinVi, we have that 
(xq, Xi, . . . , Xi, . . .) is in Fm iff for all Xj in the range of Vi, (xq, xi, . . . , Xj, . . .) is also in Fm- 
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Let Vi be the set of transition input variables that are irrelevant for fairness. Elements 
of Vi can be left out of loop detection: 

Proposition 4.3. Let M be a fair Kripke structure with set of state variables V and set 
of transition input variables that are irrelevant for fairness Vi ^ V . Let be defined as 
above, let be the variant of that restricts loop detection (i.e., lines 8 and 12 in 
the definition of M^) to the variables in V \Vi. There is a reachable state such that 

LoopClosed(s^) is true in iff there is one in 

Proof. The "=^>" -direction is trivial. For "<^=" it is sufficient to prove the following implica- 
tion: if yf = sq . . . si^i . . . Sm ■ ■ ■ Sk is an initialised finite path in M with k > m > I > 0, 
visk) = v{si-i) for all variables v £ V\Vi, and Sm G -^Oj then n with its last state replaced 
by is an initialised finite path in M with k>m>l>0, Sk = and Sm G -^o- 

(1) By assumption, (sfc_i, Sfc) € T. Construct a sequence of states .Sk = to,ti, . . . , t\y^\ = 
si-i such that all tj,tj^i differ at most by the value of one variable in Vi. By 
definition, for each tj,tj^i, {sk-i,tj) G T iff {sk-i,tj^i) € T. Hence, (sfc-i,s«-i) ^ 
T. 

(2) If > m, Sm G -Fo- Otherwise, use the same sequence of states Sk = to,ti, . . . , t\Vi\ = 
s;„i to show that Sm, = -Sfc G -fb iff ^i-i € Fq. 

□ 

Note that the restriction w.r.t. acceptance sets can be dropped if visiting an acceptance 
set is detected from index Z — 1 to A; — 1 rather than from I to k. 

We remark that if the Kripke structure being transformed is the product of a model 
and a Biichi automaton generated from a PLTL formula, the set of input variables must 
be determined with respect to both. Hence, input variables of the model that appear in 
the PLTL property to be verified may need to be included in the loop detection. Clearly, 
variables that remain constant after initialisation need not be considered for loop detection 
either. Leaving constant and input variables out of loop detection as described above is 
referred to as variable optimisation^ For more aggressive optimisations, which, however, 
may not preserve length of counterexamples or even lead to false positives, see |Sch06j . 

Kroening and Strichman assume that input variables are a separate syntactic entity. 
While a corresponding IVAR declaration is available in the NuSMV input language [CCJ^06] . 
many benchmarks were written before NuSMV was available or don't make use of this 
feature to retain compatibility to the original version of SMV |McM93l ICMUj . Therefore, 
Kroening and Strichman also use an approach based on the transition relation of the system. 
Een and Sorensson |ES03j additionally remove output variables. As ignoring these may lead 
to shorter counterexamples on the reduced set of variables in our approach (though only by 
one state), they are handled by the more aggressive optimisations in |Sch06| . 

5. BMC FOR PLTL 

PLTL has features which impact the way model checking can be done. We illustrate 
these features through a running example, taken from |BC03j and adapted to better suit 
our setting. In this example the system to be model checked is a counter which uses a 
variable x to store the counter value. The counter is initialised to 0, and the system adds 



Note that variable optimisation could also be applied in specialised algorithms for bounded model 
checking such as the one presented in Sect. [6] but this is not currently implemented. 
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X 012345234523452345 
I 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1— ^ 

time 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 

Figure 3: Execution of the counter system 

one to the counter variable x at each time step until the highest value 5 is reached. After 
this the counter is reset to the value 2 in the next time step and the system starts looping 
as illustrated in Fig. [31 Thus the system is deterministic and the counter values can be seen 
as an infinite sequence (012) (3452)'^ corresponding to a (6,3)-loop of the system. Consider 
the (6, 3)-loop of the counter system. The formula 

((a; = 3)AYYY(a; = 0)) 

holds only at time point 3 but not at any later time point. This demonstrates the (quite 
obvious) fact that unlike pure future LTL formulas, the PLTL past formulas can distinguish 
states which belong to different unrollings of the loop. We introduce the notion of a time 
point belonging to a d-unrolling of the loop to distinguish between different copies of each 
state in the unrolling of the loop part. 

Definition 5.1. For a (k, l)-loop vr we say that the period p(vr) of tt is {k — I) + 1, i.e., the 
number of states the loop consists of. We define that a time point i >0 in ir belongs to the 
d-unrolling of the loop iff d > is the smallest integer such that i < I + {{d + 1) • p{tt)). 

The formula Y Y Y (x = 0) holds at time point 3, which belongs to the 0-unrolling of 
the loop. However, at time point 7 belonging to the 1-unrolling of the loop the formula 
Y Y Y (x = 0) does not hold even though they both correspond to the first state in the 
unrolling of the loop. 

Benedetti and Cimatti [BC03| observed that encoding the BMC problem for PLTL 
when the bounded path has no loop was fairly straightforward. It is simple to generalise 
the no-loop case of Biere et al. |BCCZ99] to include past operators, as they have simple 
semantics. In the no loop case our encoding reduces to essentially the same as |BC03j . 
When loops are allowed the matter is more complicated, and therefore we will focus on this 
part in the rest of this section. The fact which enables us to do bounded model checking 
of PLTL formulas (containing past operators in the loop case) is the following property 
first observed by |LMS02j and later independently by [BC03j : for (fc, l)-loops the ability to 
distinguish between time points in different d-unrollings in the past is limited by the past 
operator depth 6{ip) of a formula ip. 

Proposition 5.2. Let ip be a PLTL formula and it be a {k,l)-loop. For all i > I it holds 
that if the time point i belongs to a d-unrolling of the loop with d > S{{p) then: tt^ \= ip iff 
TT-' 1= if, where j = i — {{d — 5{ip)) ■ p{tt)). 

Proof. The proposition directly follows from Thm. 1 and Lemma 2 of [BC03j . □ 

The proposition above can be interpreted saying that after unrolling the loop S{ip) times 
the formula cannot distinguish different unrollings of the loop from each other. Therefore 
if we want to evaluate a formula at an index i belonging to a d-unrolling with d > 5{(p), it 
is equivalent to evaluate the formula at the corresponding state of the J((^)-unrolling. 
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Consider again the running example where we next want to evaluate whether the for- 
mula 

F ((x = 3)AO ((x = 4)AO (x = 5))) (5.1) 

holds in the counter system. The formula expresses that it is possible to reach a point at 
which the counter has had the values 3, 4, 5 in decreasing order in the past. By using the 
semantics of PLTL it is easy to check that this indeed is the case. The earliest time where 
the subformula ((x = 3) A O ((x = 4) A O (x = 5))) holds is time 11 and thus the top-level 
formula holds at time 0. In fact the mentioned subformula holds for all time points of the 
form 11 -|- I • 4, where i > and 4 = p{tt) is the period of the loop 3452. The time point 11 
corresponds to a time step which is in the 2-unrolling of the loop 3452. This stabilisation at 
the second unrolling is guaranteed by the past operator depth of the formula in question, 
which is two. The subformula ((x = 4) A O (x = 5)) has past operator depth d{(p) = 1 
and it holds for the first time at time step 8 which is in the 1-unrolling of the loop. Again 
the stabilisation of the formula value is guaranteed by the past operator depth of one of 
the formula in question. It will also hold for all time steps of the form 8 + 1-4, where 
i > 0. Thus, if we need to evaluate any subformula at a time step which belongs to a deeper 
unrolling than its past operator depth, e.g., if we want to evaluate ((x = 4) A O (x = 5)) 
at time step 16 in 3-unrolling, we can just take a look at the truth value of that formula at 
the time step corresponding to the unrolling of the formula to its past operator depth, in 
this case at time step 8 = 16 — (3 — 1) • 4. 

The previous discussion suggests the following extension of the encodings presented in 
Sect. [3l Intuitively, past temporal operators can be encoded in a similar way as the future 
operators by using their characterisation in terms of previous and current state values. 
The issue of stabilisation needs to be dealt with though. Otherwise a subformula can have 
different truth values at equivalent positions in the path, which can lead to other subformulas 
being incorrectly evaluated. One way to ensure stabilisation is to extend the loop check 
h =^ (si-i = Sk) to also include the truth values of all formula variables (see |KPR98j ). 
While being intuitive and straightforward to implement, the approach just sketched requires 
that the model is unrolled deep enough so that loop in the model is unrolled to guarantee 
the stabilisation of all temporal formulas. 

Benedetti and Cimatti |BC03j suggested an alternative. The transition relation of the 
model is only unrolled virtually. Rather than having one variable representing the truth of 
a subformula at a given index in the loop, several variables are used per subformula 

93, which represent the truth of if at the same relative position i to the underlying finite 
path but at different unrollings d, see Fig. |4l The number of such variables required for 
each subformula can be limited by Proposition 15.21 

The bound k at which a particular witness is reported may be different for both variants. 
The first variant cannot guarantee that the minimal length witnesses are found. However, 
if the bound required by the first variant is not much larger than that of the alternative, 
even with a higher bound the first encoding may be more compact as only one variable 
per subformula and index is introduced. On the other hand, if several unrollings of the 
loop are required for stabilisation, the second variant may be more compact: in that case, 
savings due to having fewer instances of the transition relation of the model will more than 
compensate for the overhead introduced by the virtual unrolling of the formula variables. 
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Figure 4: Black arcs show the Kripke structure induced by virtual unrolling of the loop for 
A; = 6 up to depth 2 (i.e., d{ip) = 2) when ^3 holds 



Below we develop a prepositional encoding of the BMC problem for PLTL that in- 
tegrates both variants. We first use the idea of Benedetti and Cimatti |BC03j to extend 
the eventuality encoding for LTL with past formulas as it is our encoding of choice for an 
incremental SAT encoding to be presented in Sect. [6l Based on that we briefly discuss how 
the other LTL encodings can also be extended to PLTL along similar lines. In fact, the 
encoding presented in this section is essentially a non-incremental version of the incremental 
PLTL encoding presented in |HJL05j . We then show that by adding a check for stabilisation 
of all temporal subformulas, the level of virtual unrolling can be chosen freely between full 
and no unrolling. Finally, we extend the idea of virtual unrolling to Biichi automata. 



5.1. BMC for PLTL with Eventualities. The basic idea of the encoding is to virtually 
unroll the path by making several copies of the original finite path. A copy of the original 
path corresponds to a certain d-unrolling. If all loop selector variables li are false the 
encoding collapses to the original path without a loop. The number of copies of the path 
for a PLTL subformula (p is dictated by its past operator depth 5{(p). Since different 
subformulas have different past depths, the encoding is such that subformulas with different 
past depths see different Kripke structures. Figure H] shows the running example unrolled 
to depth d = 2, for evaluating the formula (|5.ip . 

First of all the PLTL eventuality encoding contains the model constraints |[Af]|^ and 
the loop constraints \[LoopConstraints]\f^ which are both encoded exactly as in the LTL 
case. 

To represent the original path and its copies, the PLTL formula variables {[(fW^ have 
two parameters: d is the current d-unrolling and i is the index in the current d-unroUing. 
The case where d = corresponds to the original /c-step path. Subformulas at virtual 
unrolling depth beyond their past operator depth can by Proposition 15.21 be mapped to the 
depth corresponding to the past operator depth. From this we get our first rule for each 
subformula ip G d{ip): 
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The rest of the encoding is spht into cases based on the values of i and d. The encoding 
for propositional formulas is the same as in the LTL case except that each subformula has 
constraints for several different d-unrollings. Constraints for atomic propositions and their 
negation are straightforward. We simply project the atomic propositions onto the original 
path. The Boolean operators V and A are encoded to stay in the current d-unrolling. 





Q<i<k,0<d< d{(p) 
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Mlt^peLis,) 










/\tp2 


|[^lA^2]L'^|[^l]|^A|[^2]|,f 


i>i 
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The translation of the future operators is also a very straightforward generalisation 
of the pure future LTL encoding of Sect. 13. 2| we just have introduce constraints for all 
d-unrollings. 
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The \ [LastStateFormula]\j^ constraints of the LTL case have to be changed in the PLTL 
case to take care of binding the different unrollings of the encoding together in the way 
shown by following the black arcs of Fig. H] in the forward direction. The truth values of 
Kv'llfc+i are picked from the loop point i of the next unrolling level liv^Jlf^^i or if we are at 
the last level d = S{(p) then from the loop point at the last level [[v'lli'''''^- This is achieved 
by the expression |[(^]|™"('^+^'^('^)\ For all ip G cl{^) the following constraints are created: 





0<d< S{(p) 


Base 


-^LoopExists (|['/']|fe+i ^ ^ 




1 <i<k 









When d = d{(p) we have reached the d-unrolling where the Kripke structure loops 
back. At this depth we can guarantee that the satisfaction of all subformulas has stabilised 
(see Proposition 15. 2p . Therefore at the maximum unrolling depth we add the auxiliary 
translation constraints which, similarly to the LTL case, are needed to correctly evaluate 
the until and release formulas along the loop. 
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1 <i<k 
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((F^2))f '"^^ ^ ((FV^2»fit^ V (inLoop, A |[^2]|f '^^)) 




V'l R- V'2 


((G^2)>f'"^' ^ ((G V2))S^^ A (^InLoop, V |[V2]|f'"^^) 



The starting point for the encoding for the past operators is using their characterisation 
in terms of the current and the previous state. This enables the encoding of the past 
operators to fit in nicely with the future encoding. Since past operators look backwards, 
we must encode the move from one copy of the path to the previous copy efficiently. 

The simplest case of the encoding for past operators occurs at d = 0. At this depth, 
the past is unique in the sense that the path cannot jump to a lower depth. We do not 
need to take into account the loop edge, so the encoding follows from the characterisation 
V'l S V'2 and ijjj^T ip2 in terms of the current and the previous state. Encoding 'Y ipi and 
Z V'l is trivial 



1 





i = 0,Q<d< d{<f) 
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|[ZVi]|f^|[0i]|-_i 



When d > the key challenge of the encoding is to decide whether the past operator 
should consider the path to continue in the current unrolling of the path or in the last state 
of the previous unrolling. The decision is taken based on the loop selector variables, which 
indicate whether we are in the loop state. In terms of our running example, we need to 
traverse the straight black arrows of Fig.[3]in the reverse direction. We implement the choice 
with an if-then-else construct (/j A ifi) V {^li A 922) • The expression encodes the choice if 
li is true then the truth value of the expression is decided by yji, otherwise 992 decides the 
truth value of the expression. 



Vi s V2 
V'l TV2 

YVi 
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I <i < k,l < d < S{if) 



h S V2]|^ ^ IMlf V (|[Vi]|f A [[h A |M|^l) V [-.k A \MU))) 

h T Ml ^ m\t A (i[Vi]if v([kA Mit') V l^k A mu))) 

|[YVi]|f«(i.A|[Vilir')v(^i.A|[Villti) 

|[zVi]|f^(i.A|[Vi]ir^)v(^/.Al[Vi]lti) 



The column i = has been included to make all unrollings evaluate exactly the same truth values in the 
no-loop case, which has a slight advantage if the encoding is used in a complete model checking procedure 
as described in Section [7] 
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Combining the tables above we get the full PLTL encoding \[EventualityPLTL]\^ for 
V'- Given a Kripke structure M, a PLTL formula ^, and a bound /c, the PLTL eventuality 
encoding propositional formula is given by: 

\[M,Tp,k] \ = |[Af]|fc A \ [LoopConstraints]\f. A \ [LastStateFormula\\f^ A \ [EventualityPLTL]\^. A \ 

The correctness of our encoding is established by the following theorem. 

Theorem 5.3. Given a Kripke structure M and a PLTL formula ip, M has an initialised 
path vr such that ir \= ip iff there exists a /c € N such that the PLTL eventuality encoding 
\[M,'tp,k]\ is satisfiable. In particular, if tt then the PLTL eventuality encoding 

\ [M,tp,k]\ is satisfiable. d 

Proof. We proceed similarly to the proof of Thm. 13.21 only changes are given below. The 
main change to the future only LTL encoding is that all the subformulas (p G cl{ip) are 
virtually unrolled to their past operator depth 5{ip). In addition the new past formula 
encodings have been introduced. 

First consider the (A:,j)-loop case (a): We have the same induction scheme as in the 
proof of Thm. I3.2[ The main change is that we have to take the virtual unrolling into 
account. We will prove by induction on the structure of the PLTL formula that the PLTL 
eventuality encoding is satisfiable with a unique satisfying truth assignment. Moreover, for 
all pairs of indices i,d in < i < k,0 < d < 6{ip) such that d = ot i > j (we are in 
the black nodes of Fig. U]) it holds that Tr*"'"^"' ^^'^)) 1=^ 99 iff in the unique satisfying truth 
assignment of the PLTL eventuality encoding {[(p]]^ is true. 

For a future subformula 93 € cl{-ip) (the top-level subformula of is a future time 

formula) we do this by first proving that if the encoding is satisfiable, the variable |[(/']|^^^'* 
for the last state of the top unrolling of Fig. [4] is true iff Tr'^"''^^^'^) ^^'^)) \=k ^p. This is done 
similarly to the proof of Thm. 13. 2t only small indexing changes are needed in order to always 
refer to states in the unrolling 5{(p) both for the encoding and for the PLTL semantics. All 
formulas referred to in the proof have in the unrolling S{ip) stabilised by Proposition 15. 21 and 

thus we get that if the encoding is satisfiable, is true iff yr''''''^'^^'^^'^^'^)) \=k if. Now 

it is also easy to check that the encoding for all other pairs of indices i,d in 0<i<k,0< 
d < 5{(p) such that d = or f > j follows the one-step identities of the bounded PLTL 
semantics for 99 in a functional manner (proof by induction following the straight black arcs 
of Fig. H] in the reverse direction jumping from one unrolling to the previous as shown by 
the arcs) and thus the truth assignment matching the bounded PLTL semantics leads to 
the only truth assignment satisfying all constraints of the encoding. The new part in this 
proof compared to the future case is that we also have to prove for all pairs of indexes 
0<i<fc,0<d< (5((/3) such that d > and i < j the corresponding constraints are 
satisfiable in a unique way. This is the case because these constraints can be seen to form 
Boolean circuits where all inputs are fixed and the output is not constrained in any way. 
We thus obtain a unique satisfying truth assignment for the full PLTL eventuality encoding 
in a similar manner as in the proof of Thm. 13. 2i 

For a past formula (p G cl{^p) the proof starts by showing that if the encoding is 
satisfiable , then | [v^] | g corresponding to the first state of the bottom unrolling of Fig. [5] is true 



^As immediate corollary minimal length (k, Z)-loop counterexamples for PLTL can be detected. The 
encoding also detects minimal length informative safety counterexamples for PLTL. 
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iff vr'^ \=k ip. This can be easily checked by comparing the encoding of |[(/?]|o with the PLTL 
semantics of past formulas combined with our induction hypothesis that the subformulas 
are correctly evaluated. Now it is also easy to check that the rest of the encoding for all 
other pairs of indices i,d in < i < k,0 < d < S{ip) such that d = or i > j follows the 
one-step identities of the bounded PLTL semantics for ip m a, functional manner (proof by 
induction following the straight black arcs of Fig. [J] in the forward direction jumping from 
one unrolling to the next as shown by the arcs) and thus the truth assignment matching the 
bounded PLTL semantics for ip leads to the only truth assignment satisfying all constraints 
of the encoding. The new part in this proof compared to the future case is that we also 
have to prove for all pairs of indexes < i < k,0 < d < d{(p) such that d > and i < j 
the corresponding constraints are satisfiable in a unique way. This is the case because these 
constraints can be seen to form Boolean circuits where all the inputs are fixed and the 
output is not constrained in any way. We thus obtain a unique satisfying truth assignment 
for the full PLTL eventuality encoding in a similar manner as in the proof of Thm. 13.21 

Next consider the no- loop case (b): We first note that in the no- loop case LoopExists 
is false and in this case the encoding for all indexes d > can be seen to form Boolean 
circuits where all the inputs are fixed and the output is not constrained in any way. Thus 
all of these constraints are satisfiable in a unique way. 

Therefore we need to only consider the case d = 0,0 < i < k. We proceed similarly to 
the proof of Thm. 13.21 for future PLTL formulas, but due to the simplicity of the proof we 
reproduce it here. Because LoopExists is false, it is easy to see that the | [LastStateFormula]\f^ 
constraints will force the proxy variables to _L, and the encoding becomes exactly 

the same as in the fixpoint encoding case and thus has a unique satisfying truth assignment. 
Also the auxiliary encoding constraints will lead to a unique satisfying truth assignment as 
as LoopExists is false. 

For a past PLTL formula we first find that if the encoding is satisfiable, is 
true iff vr'^ |=ni p>. This can be easily checked by comparing the encoding of |[vj]|o with 
the no-loop case PLTL semantics of past formulas combined with our induction hypothesis 
that the subformulas are correctly evaluated. It is also easy to check that the rest of the 
encoding for all other indices < i < k follows the one-step identities of the no-loop case 
PLTL semantics for in a functional manner, and thus the truth assignment matching 
the no-loop case PLTL semantics for p leads to the only truth assignment satisfying all 
constraints of the encoding. □ 

The size of the encoding is 0{\I\ + k ■ \T\ + k ■ {ipl ■ S{tp)). The encoding for PLTL above 
also has the unique model property in the same sense as in the LTL case. The unique model 
property allows us to read the exact bounded semantics for all PLTL subformulas and all 
time indexes considered directly from the truth assignment given by the SAT engine. In 
fact, it also evaluates some value for the formula variables in the light nodes of Fig. HI These 
nodes could be easily detected and forced to some fixed value (e.g., _L) but that would make 
the encoding slightly larger. For the BMC encoding we preferred not to do that, as the 
truth values of these nodes do not matter because they cannot be referenced from |[V']|o by 
either forward or backward arcs. 

Similarly to the LTL case, the PLTL eventuality encoding of this section (see Sect. 13.21 
for the LTL version) can alternatively be replaced with either a PLTL fixpoint evaluation 
encoding |LBHJ05] (see Sect. 13.11 for the LTL version) or the Biichi encoding (see Sect. 13.31 
for the LTL case) . Intuitively the main difference to the LTL case is evaluating the required 
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auxiliary encoding at such an unrolling depth d = S{ip) that the evaluated formula ip has 
stabilised according to Proposition 15. 2[ 

Partial Unrolling. An interesting feature of the PLTL encoding is that a simple modifi- 
cation makes it sound even if we replace the function 6{-) with a constant function that 
always returns 0. In this case the size of the encoding will be linear in [ip], and a Biichi en- 
coding variant of the PLTL encoding becomes essentially a BMC encoding of |KPR98j . see 
also |SB05j . In fact, we can limit the maximum virtual unrolling depth of any subformula to 
any value dmax between zero (minimal size encoding, potentially longer counterexamples) 
and S{(p) (minimal length counterexamples, larger encoding). Counterexamples will still be 
detected but the bound required to do so will depend on the amount of unrolling done. 

For the last unrolling we have to add the stabilisation forcing constraints shown below 
which constrain the past formulas to also consider that the predecessor can be the last state 
of the last unrolling. Such constraints are also required for the encoding of |CRS04| to work 
correctly for formulas containing past operators; [CRS04] does not state this explicitly. The 
intuition for the stabilisation forcing constraints is that they ensure that past formulas in 
the loop state of the last unrolling evaluate to the same truth value, no matter whether it is 
seen as the successor of the end state at current or the previous unrolling. In other words, 
all subformulas have stabilised. Proposition 15.21 will guarantee that when we have unrolled 
to the maximum depth 6{ip), these constraints will not remove any satisfying models of the 
encoding as the truth values of all formulas, in particular all the past formulas themselves, 
have stabilised when the last unrolling has been reached. 
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The correctness of the stabilisation constraints is not difficult to see. If we assume that 
for every past subformula ip G cl{i/j) it holds that 7rJ+{*""^ P('^)) \=i. ip iff -^k+i+idmax-pin)) 
(p then we can easily prove that the evaluated formula has stabilised for all subformulas at 
all indices in the unrolling dmax- 

To prove soundness of the modified encoding we proceed as follows. If the assumption 
of stabilisation at dmax does not hold, we can find a past time subformula p> such that all 
its subformulas have stabilised at dmax but 7r3+('^"^<^^-pM) \=j^ ip iff T^k+i+{d,nax-p{-T)) ^ 

does not hold. In this case it is easy to see that the original constraints force | | j""""^ to 
true iff 7r^+('^— \=i^ ip, and it is easy to prove that the stabilisation forcing constraints 
force Kv?]!^"'"'^ to true iff ■jj;k+'i-+{dmax-p{TT)) Therefore the whole encoding becomes 

unsatisfiable. 

For completeness we note that Proposition 15.21 ensures that eventually all PLTL for- 
mulas become periodic. This ensures that eventually all past subformulas will satisfy the 
stabilisation assumption above with any value < dmax ^ <^(^) when k is increased large 
enough, for some value of j. If the assumption about stabilisation holds, then by using 
min{dmax, ^if)) hi the encoding and in the Proof of Thm. [5l3] instead of S{ip), we can prove 
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the encoding to be satisfiable and matching the bounded semantics of PLTL using our as- 
sumption about the stabiUsation at unrohing dmax instead of Proposition [5^21 The only new 
thing that needs to be proven is that the stabihsation enforcing constraints are satisfiable, 
and this is immediate by the new constraints and our assumption of the stabilisation of all 
past subformulas at the unrolling level dmax- 

As a historical note, at the point of writing [LBHJOS] we were unfortunately not aware 
of the symbolic PLTL Biichi automata translation of |KPR98j . Quite late in writing |HJL05j 
we became aware of it by stumbling on a bug — stemming from the ambiguity mentioned 
above — in an unpublished prototype implementation of [CRS04j kindly provided to us by 
its authors. After that we discovered that [KPR98j did not have that problem, we quickly 
figured out how to use a similar optimisation in our context. 

5.2. Virtual Unrolling for Biichi Automata. In this subsection we extend the idea 
of virtual unrolling to Biichi automata. Starting from a Biichi automaton B'^ based 
on |KPR98j . which is tight only if is a future time formula |SB05j . we obtain a Biichi 
automaton B'^ accepting the same language that is tight for all PLTL formulae i/j. 

The situation is very similar to the BMC case: on a shortest witness, the original Biichi 
automaton B'f' needs some additional unrollings of the transition relation of the model M 
till both have a loop of the same length. Note, that the intuition provided by the example 
below does not rely on the fact that B'^ is derived from |KPR98j . It only requires fi'^ to 
have an accepting loop of the same length as the witness. Further generalisation to arbitrary 
Biichi automata is possible but so far of mostly theoretical interest |Sch06j . 

For technical reasons we have to deviate from the convention that li is true at index I 
of a {k, /)-loop and InLoop is true from index / through index k. Rather, both are shifted 
one state towards the initial state, i.e., k is true at index / — 1 (which could be regarded as 
being the loop start as well) and, correspondingly, InLoop is true from I — 1 through k. 

The construction of the tight Biichi automaton is by and large the same as in |SB05j . 
The presentation is changed to highlight similarities with the encoding of PLTL for BMC 
in the previous subsection. 

Example. We first walk through the steps of the construction using our running example 
in Fig. [31 Figure shows a run of a |KPR98j -like Biichi automaton B^ on the path 
(01) (2345)^ — remember, that we start the loop one state earlier in this subsection. The 
model M enters a loop of length 4 at time point 2 while B"^ needs 6 more states until it 
enters a loop of the same length. An accepting loop in the product M x B^ can be closed 
only at time point 12 (the last occurrence of x = 4 in Fig. \5^). 

By virtually unrolling the transition relation of M (or, in other words, by folding in the 
transition relation of B"^) some parts of the run of B^ can take place in parallel to reduce 
some or all of the excess length (Fig. [5]3,c). So far, there is no difference to the BMC case. 
We now have to decide how to define states, transition relation, and acceptance sets of the 
new automaton B^' . 

The states of B"^ consist of tuples of states of B^' (Fig. Ell). Before the loop starts the 
tuples need only have size 1, i.e., they are identical to the states of B^. After the loop 
start the tuples must be able to accommodate the maximal excess length of an accepting 
run of B^. If B^ is derived from [KPR98j we can obtain a similar result as in Prop. [5^21 on 
the excess length of accepting runs of B"^ |SB05j . Hence, the maximum required size of the 
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Figure 5: Tightening |KPR98j by example 
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tuples is given by the past operator depth of "0 plus one. In practice, the tuples before the 
loop start also have that size but its constituent states at unrollings > are disconnected 
from the rest of the automaton. Note that the states of at time points 6-9 and 10-13 
are the same as at time points 2-5. 

Defining transitions not crossing a loop boundary is easy: there is a transition from one 
tuple state to another in B"^ iS each pair of constituent states at the same unrolling has a 
transition in B^ (Fig. [5^). When crossing a loop boundary, a constituent state at unrolling 
d — 1 in the pre-state is connected to a constituent state at unrolling d in the post-state. 
In addition, there must be a transition in B^ between the constituent states at the highest 
unrolling of the pre- and post-state to ensure that a loop exists in B"^. 

Clearly, we cannot know in which state B"^ would be in an unrolling > when first 
entering the loop in B^ (time point 2 in Fig. [5]f). Hence, the corresponding constituent 
states in B^ are not constrained to the pasto The constituent states at unrolling at time 
points 6 and 10 could in principle be forced to be identical to their predecessor at time point 
2; however, it turns out that this is not required for correctness of the construction. The 
loop boundaries are "detected" non-deterministically using oracle variables InLoop with the 
same meaning as before and le indicating the last state of a loop iteration. 

As acceptance of a run in B"^ is determined in its looping part, each tuple state in 
B^ is in the acceptance set F„i of B^ iff its constituent state in the top unrolling belongs 
to the corresponding acceptance set Fm of B^ (Fig. [5^). One additional acceptance set 
is needed in B^ to guarantee that infinitely often a loop boundary is guessed. Otherwise, 
there might not be a connection between the bottom and top unrollings and, therefore, 
acceptance might not be determined correctly. Finally, an accepting loop can be closed 
(Fig. [5h). 

Construction. We symbolically construct a Biichi automaton B^ = (5, T, /, L, F) for a 
PLTL formula tp as follows. For each ip G cl{'ip), V contains state variables |[(^] j*^, . . . , 
meant to represent the truth of (p at unrollings < i < 5{ip). Two oracles InLoop and le 
signal the presumed start of the loop and the end of each loop iteration. The rest of the 
encoding is developed step by step below. 



line 


constraint 


applies to 


1 


InLoop InLoop' 


T 


2 


le => InLoop 


S 



As in the BMC case we set 44> \[^]\ \i d > 5{ip). The state variables for atomic 

propositions are unconstrained; their valuations are linked to the corresponding atomic 
propositions via L, thoughEl The valuation of the state variables for Boolean operators is 
again the same as in the previous subsection: 

l°If B''' is derived from [KPR98| some constraints similar to those in Sect. 5 of [HJLOSj could be applied 
for monotonic operators. 

"'^^Here we assume that the product of Kripke structures is formed by demanding that product states 
match on shared atomic propositions, see, e.g., [Sch06) . In a symbolic setting atomic propositions often 
correspond directly to valuations of state variables and, hence, the product can be formed more directly by 
sharing these state variables. 
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Within a loop iteration and on the stem the valuation of the variables for temporal operators 
directly follows their characterisation in terms of current and next state values. Note that 
stem and loop are disconnected at unrollings > 0. In the following tables we sometimes 
use parentheses to disambiguate the scope of the next state operator ' and 'applies to' 
abbreviated with a.t. 



line 


f 


< d < 5(ip) 


a.t. 


7 




-.Ze A -.{^InLoop A InLoop' A d > 0) => (|[XVl]|'' O (1 [V'l] 1'')') 


T 


8 


ipi U iIj2 


^Ze A^(^InLoop AinLoop' Ad > 0) ^ (|[Vl UV2]|'* ^ IM'' V A (| [v^] ft')) 


T 


9 


ipi R. V'2 


-^le A ^{^InLoop A InLoop' A d > 0) ^ (| [Vi R ^/'2] I'' IM"^ A (|[V'i]|'* V (IMl'')')) 


T 


10 




^Ze A^(^InLoop AinLoop' Ad > 0) ^ ((| [Y Vi] l")' <S> \ [ipi]\'^) 


T 


11 




^le A ^(^InLoop A InLoop' A d > 0) =S> ((| [Z I"*)' <t^> 


T 


12 




-ie A -HnLoop A InLoop' A d > 0) ^ ((| [V^i S V2] I"")' {\[i>2]fY V A IMI'')) 


T 


13 


^1 Tt/>2 


^le A -HnLoop AinLoop' Ad > 0) ^ {(| [Vi T ^2] I'')' ^ (IMI'')' A V |M|'')) 


T 



When the end of a loop iteration is reached, subsequent unrollings (other than the topmost) 
are linked by taking current state values from unrolling d and next state values from un- 
rolling d+\. In the topmost unrolling current and next state values are taken from the same 
unrolling to ensure stabilisation of all variables. This case corresponds to the loop-back case 
in BMC. 
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Variables representing past operators are initialised in unrolling as usual: 
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Acceptance for U- and R-formulae is defined in their topmost unrolling but is otherwise 
standard: 
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Finally, we add \ [4>\\ as an initial state constraint to ensure the desired semantics and {/e} 
as acceptance set to guarantee that ultimately all unrollings are linked. The labelling is 
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defined as L{s) = {p e AP{i{j) | € F A |[p]|°(s) = T} where AP{i{;) is tlie set of atomic 
propositions occurring in ip. 

In the fohowing we prove that accepts the desired language and is tight. 

Lemma 5.4. La.ng{B^) = {a \ a \= il^} 

Proof. Let be defined as B'^ without the initial state constraint [[V']!'^- 

(Correctness) We show that on every initialised fair path p in B^ the values of | [cp] |'^' (pi) 
represent the validity of the subformula ip at time point i, where di is either the number 
of ie's seen up to time point i — 1 or 5{f), whichever is smaller. Formally, let p be an 
initialised fair path with L(p) = a in B"^. For each time point i in p, let di = min(|{j | (j < 
i-l)A{le{pj) ^ T)}|,5((^))13 The initial, invariant, transition, and fairness constraints on 
|[<y9]|'^' are identical to the constraints that a Biichi automaton based on |KPR98j imposes on 
its state variables representing the corresponding subformula. Hence, \= ip <^ {[ipW^^ (pi) . 

(Completeness) We show that there is an initialised fair path p in B"^' with L{p) = a for 
each word a. Choose a set of indices U = {iq, ii, . . .} (for "up") such that le{pi) <^ i G U. 
Further, choose I < io and set InLoop(pj) j > l- We inductively construct a valuation 
for \[ip]\ (pi) for each subformula (p oi ^, d < 5{ip), and i > 0. 

• If is an atomic proposition p, set | [p] |'^(/5i) ^ (a* |= p)- 

• If the top level operator of ip is Boolean, the valuation follows directly from the 
semantics of the operator. 

• For X, each |[X'(/'i]|'^(/9j) appears at most once in X 's defining constraint (line 7). 

• = Y Vi is similar. Note that 5(V'i) = S{ip)-l. Therefore, | [Y V'l] 1''^'^^' ^ \ ['>Pi]f^'^'^ 

and I [Y ^"1] 1'^^'''^ | [^1] 1^^"^-*""^ are equivalent. | [Y ipi] f{pi) is unconstrained if c? = 
and i — 1 (z U as well as if d > 1 and i = I. 

• For (p = ipi \J start with the topmost unrolling 6{(p). If |[V'2]|^^^^^ remains 
false from some on, assign > id ■ \['p]\^^'^\pi) -L- Now work towards 
decreasing i from each i„ with |['02]|'^^'^^H^n) using line 8 in the definition 
of T for U. Continue with unrolling 5{(p) — 1. Start at each z S [/ by obtaining 
|[(^]|^^'^^~^(pj) from the previously assigned |[(^]|''^'''^(/3j+i) via line 15. Then work 
towards decreasing i again using line 8 in the definition of T until [[i/?]]'''''''^"^ is 
assigned for all pi. This is repeated in decreasing order for each unrolling < d < 
5{ip) - I. 

• For S, start with |[9j]|'^(po) aiid proceed towards increasing i, also increasing d when 
i G U (lines 12, 19 in the definition of T for S). When d = S{(p) is reached, assign 
|[(^]|'^^'''^(/0i) for all i using line 12 in the definition of T. Then, similar to U, work 
towards decreasing d and i from each i . 

• Z , R, and T are as their duals. 

For state variables on the stem with d > any assignment satisfying the constraints in 
the definition of B^ can be chosen. It is easy to verify that such assignment always exists. 
Fairness follows from the definition of C/, I, and the valuation chosen for U and R. 

The claim is now immediate by the definition of /. □ 



-'^^In Fig. [5^ this corresponds to the thick sequence of transitions starting in unrolhng at time point 0, 
jumping to unroUing 1 between time points 5 and 6, and finaUy reaching unrolhng 2 at time point 10. 
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Lemma 5.5. B"^ is tight. 

Proof. We show inductively that the valuations of the variables | [93] \'^{pi) can be chosen such 
that the valuation at a given relative index in a loop iteration is the same for each iteration 
in an unrolling d. Formally, let a = (3^^ with a\= tp. There exists a run p on a such that 
for all subformulas ip ip 

Vd < d{ip) . Vn,i2 > . {{3k >0.i2-ii= fc|7l) ^ (IMl'(Pn) ^ 
Atomic propositions, Boolean connectives, and X are clear. Y is also easy, we only 
have to assign the appropriate value from other iterations when is unconstrained. 

For if = ipi \J 1^2, by the induction hypothesis, |['i/'2]|''^'^^^ is either always false (in which 
case we assign to false according to the proof of Lemma l5.4p or becomes true 

at the same time in each loop iteration. Hence, the claim holds for unrolling 5{(p). From 
there we can proceed to lower unrollings in the same manner as in the proof of Lemma 15.41 
For S we follow the order of assignments from the proof of Lemma 15.41 By induction, the 
claim holds for unrolling 5{ip). From there, we proceed towards decreasing i and d. We 
use, by induction, the same valuations of subformulas and the same equations (though in 
reverse direction) as we used to get from \ [ip]\ (po) to unrolling 5{ip). Z , R, and T are as 
their duals. □ 

Theorem 5.6. Let be a PLTL formula, let he defined as above. Then, Lang(i?'^) = 
{a I a ^ "0} and B^ is tight. 

Proof. By Lemma 15.41 and 15.51 □ 

As an optimisation, state variables representing atomic propositions, Boolean operators, 
and values of subformulas 99 at unrollings d > 5{ip) can be replaced with macros. If the 
automaton is used with the liveness-to-safety transformation (with appropriate changes to 
shift Is and InLoop back one state), InLoop can be taken directly from the transformation 
and le can be defined as LoopClosed'. 



6. Incremental SAT and BMC 

We now present an incremental eventuality encoding for PLTL (see Sect. 15.11 for the 
non- incremental version). The encoding has been first published in |HJL05] and is based 
on an earlier PLTL fixpoint evaluation encoding published in [LBHJ05] . 

A promising technique for improving the performance of BMC is using incremental SAT 
solving. When a solver is faced with a sequence of related problems, learned clauses (see e.g., 
[ZMMMOT] ) from the previous problems can drastically improve the solution time for the 
next problem and thus for the whole sequence. BMC is a natural candidate for incremental 
solving as two BMC instances for bounds k and k + 1 are very similar. Strichman [StrOlj 
and Whittemore et al. |WKS01| were among the first to consider incremental BMC. Both 
papers presented frameworks for transforming a SAT problem to the next in the sequence by 
adding and removing clauses from the current problem instance. Een and Sorensson [ES03j 
consider incremental BMC combined with the inductive scheme presented in [SSSOOj . Their 
approach is based on using the special syntactic structure of the BMC encoding for invariants 
to forward all learned clauses, and therefore they do not need to perform any potentially 
expensive conflict analysis for learned clauses between two sequential problem instances. Jin 
and Somenzi |JS05j present efficient ways of filtering learned clauses when creating the next 
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problem instance. In |BB04| a framework for incremental SAT solving based on incremental 
compilation of the encoding to SAT is presented, however, their PLTL encoding is based 
on the original and inefficient (for past formulas) encoding of |BC03j . 

The incremental encoding has been designed to allow easy separation of constraints that 
remain active over all instances and constraints that should be removed when the bound is 
increased. In addition, we have tried to minimise the number of constraints that must be 
removed in order to allow maximal learning in a solver independent fashion. Both of these 
are achieved while maintaining the efficiency of the original encoding [LBHJOS] . 

There are a few considerations that need to be taken into account for a good incremental 
encoding. First of all, the encoding needs to be formulated so that it is easy to derive the 
case k = i + 1 from k = i. This is done by separating the encoding to a k-invariant part and 
a k- dependent part. The information learned from the /c-invariant constraints can be reused 
when the bound is increased while the information learned from the fc-dependent constraints 
needs to be discarded. Thus we try to minimise the use of /c-dependent constraints in our 
encoding. The so-called Base constraints are also /c-invariant, but they are conditions that 
are constant for all values of k. 

Keeping the number of /c-dependent constraints small is achieved largely by the in- 
troduction of proxy states, which serve as placeholders for the endpoint of a path. The 
disentanglement of the constraints at index k from the fixpoint encoding to the eventuality 
encoding by introducing formula variables also for index k + 1 can be seen as a first step in 
that direction. This is the reason we chose the eventuality encoding of Sect. 15. li as the base 
of our incremental encoding. Below only the differences needed to obtain incrementality 
are given. All of the non-modified parts of the encoding are A:-invariant. 

The loop constraints \[Loop Constraints]] are modified to (changes are shown in blue 
boxes): 



Base 


lo 




_L 




InLoopg 




_L 


/c— invariant 


h 




(s,_i = s^) 


I <i <k 


InLoopj 




InLoopj_2 V li, 




InLoopj_]^ 






A:— dependent 


LoopExists 




InLoopj, 




\SE 







Many ^-dependent constraints of the non-incremental encoding of Sect. IS.ll have been elim- 
inated by introducing a new special system state se with fresh (unconstrained) state vari- 
ables acting as a proxy state for the endpoint k of the path. In the /c-dependent part the 
proxy state s^; is constrained to be equivalent to Sk- The constraint defining the variable 
LoopExists is fc-dependent as it is defined in terms of InLoop;. . 

The I [LastStateFormula] constraints are modified to (changes are shown in blue boxes): 
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< fi < d{Lp) 


Base 




LoopExists ^ 


) 


fc— invariant, 1 < i < k 




/c— dependent 






IMI^^IMI' 















The proxy state se has the corresponding new formula variables which have been 

introduced to make the encodings for the past formulas fc-invariant. For the future formulas 
another proxy state with index L has been introduced. This loop proxy state introduces 
new formula variables All the formulas at the proxy states are bound to their 

corresponding states at the same time point, implementing jumping from one unrolling to 
another as shown in Fig. [H 

We need to extend the first rule of the PLTL encoding also to indices E and L, for each 
subformula if € cl{ip): 

\[^]\e = \ [^]\e'^\ when d > 5{ip); and 
M\i = MfL^''\ whend>%). 

The auxiliary formula encoding is modified to (as before, changes are shown in blue 
boxes): 









Base 


Ipl U V'2 
■Ipl Rl/'2 

■01 R.02 


LoopExists ^ U V2]|^^^ ((F^2))g^^) 
LoopExists ^ R V2]|g' ^ ((GV'2»g'^') 


/c— invariant 
1 <i<k 


Ipl R -02 


((F^2))f'^^^ ^ ((F V2))S^^ V (inLoop, A |[V.2]|f''"') 
((G ^^2))^ '^^^ ^ ((G V'2))S^) A (^InLoop, V |[V2]|f '^^^) 


fc— dependent 


■01 R V'2 











Basically all references to the index k have been removed in the A;-invariant parts by refer- 
ences to E. The new fc-dependent constraints constrain the auxiliary encodings at E to get 

their values from the state at the current bound k. 

We also have to modify the encoding of past formulas slightly, as they explicitly mention 
the bound k used. The change is to replace the index k with the proxy end index E^ and 
after this the encoding becomes /c-invariant. The case d = does not have to be changed 
and is therefore omitted. The indexing changes required are again shown in blue boxes. 
The table below includes also the (optional) stabilisation forcing constraints. 
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Ipl S ?/'2 
V>iT?/.2 



Ipl S 1^2 
V>1 T?/)2 

zvi 



1 < i < fc, 1 < d < 6{ip) 



S V'2]|f ^ |[V2]|f V A ff/, A IMlg') V A 
T V2]|f « I [^2] If A V ^^i, A IMlg') V A IMlt/ 
|[Y^l]|f ^ (^k A ll^lllg) V (-4 A \MU) 
\[Z^l]\f ^ (4 A |[^l]|^^) V {^k A IIV'ill^i) 



li^l S^2]|f'^' ^ IMlf V A A IMI^^') V (^i, A IMlfif ^ 



|[Y^i]|*(^' ^ (4 A |[^i]|^^^) V [^k A 
|[Z^l]|^(*') ^ (4 A llV'lllg^) V [^k A llV'lllfi^ 



v(-«.A|Mi:i7 



Combining the tables above we get the fuh incremental PLTL encoding \[IncPLTlJ\\^ 
for ip. Given a Kripke structure M, a PLTL formula and a bound /c, the incremental 
PLTL eventuality encoding as a propositional formula is given by: 



[A/,i/',fc]| = A poopConstramte]!^ A \[LastStateFormula\ A | [/ncPLTL] | A 



0- 



The correctness of our encoding is established by the following theorem. 

Theorem 6.1. Given a Kripke structure M and a PLTL formula ip, M has an initialised 
path IT such that tt \= ip ijf there exists a A; E N such that the incremental PLTL eventuality 
encoding \[M,ip,k]\ is satisfiable. In particular, if ir \=k then the incremental PLTL 
eventuality encoding |[M, is satisfiable. 

Proof. Note, that the fact that the encoding is used incrementally does not influence cor- 
rectness of the claim. Hence, we show that the incremental PLTL eventuality encoding 
is satisfiable iff the (non-incremental) PLTL eventuality encoding presented in Sect. [5] is 
satisfiable. Correctness then follows from Thm. 15.31 

It's not hard to verify that, essentially by applying substitutions to the proxy variables, 
the incremental encoding can be transformed into the non-incremental version plus the 
following set of constraints 

SE = Sk 

^LoopExists =^ {\[(p]\^^ ^ ±) 

yi<i<k:k^iM\l^M\^) 

VO<d<%):jM|^^lMjf 

yo<d<5iip):M\t^,^\M^ 
IMll^lMI?^^ ifd>5M 



mm{d+l,5{ip)) 
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without changing the set of satisfying truth assignments. It is easy to see that with li =^ 
(IMIfc+i ^ \ \ [^]fk+i) the set of constraints is a conflict-free assignment of the 

proxy variables. □ 

The increment ality of the encoding works as follows. The encoding |[M, ■0, A: + 1]| for 
bound k + 1 is obtained from the encoding | [M, ip, k] \ for bound k. First, all the /c-dependent 
rules, and everything learned from them by the SAT solver have to be dropped. After this 
the encoding must be extended by all the constraints needed for encoding the new time 
step k + 1. 

We have taken care to keep most of the encoding rules /c-independent, and to make all 
of the fc-dependent constraints as simple as possible (they are all just equivalences between 
two variables) in order to make the size of the /c-dependent part as small as possible. This 
was made in order to make the overhead to a non-incremental version as small as possible. 
The experimental results of Sect.[8]and |HJL05] confirm that the incremental approach does 
lead to performance benefits. 



7. Completeness: Proving Properties 

In its basic form bounded model checking only finds counterexamples and does not 
prove systems to be correct. To prove that a system has no counterexamples for a given 
property with BMC, we must prove that no counterexample can be longer than a certain 
bound, the completeness threshold, and prove that there are no shorter counterexamples. 
The obvious upper bound for the completeness threshold is exponential in the number of 
state bits in the system. We could thus obtain a complete BMC procedure by always doing 
BMC until reaching this upper bound, but clearly such an approach is unacceptable and 
we actually want a procedure that will in many practical cases terminate with a much 
smaller bound. There are several approaches to making BMC complete in a more practical 
sense, i.e., which are able to prove properties by more precisely approximating the required 
completeness threshold. 

A complete method for proving invariant properties is A;-induction originally developed 
by Sheeran et al. [SSSOOj . They give several different variants for proving invariant prop- 
erties. The variant closest to our approach is the following: If the invariant holds in every 
state in each initialised path of length k, and there is no initialised loop-free path, which 
does not visit an initial state, of length k + 1; then we can conclude that the invariant holds 
for the system. The longest initialised loop-free path in the state graph is called the recur- 
rence diameter, which can be used as an upper bound for the completeness threshold when 
proving invariants. Clearly the number of reachable states of the system gives a worst case 
upper bound for the recurrence diameter. For a bound k a straightforward encoding of this 
loop-free path predicate is of the size 0{k'^). Kroening and Strichman |KS03j show that the 
size of this loop-free predicate can be optimised to 0(fclog^ k) using sorting networks. They 
also suggest ways to leave out state bits from the loop-free predicate to improve efficiency 
while maintaining completeness. The benefits of having a smaller predicate are two-fold: a 
smaller predicate is easier to manage for the SAT solver and with fewer state variables we 
can prove properties at shallower depths because the system loops earlier. 

It is now easy to see that by combining the Biichi automata-based BMC encoding of 
Sect. 15.21 for PLTL and the liveness to safety reduction of Sect. H] with A;-induction we get 
a complete BMC method. The method can also be made incremental as shown in |ES03] . 
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In this section we show a more refined approach to completeness based on the incremen- 
tal BMC encoding presented in Sect. [6l The approach has been first published in [H JL05j . 
It is based on similar ideas as |ES03j but due to the increased flexibility of the BMC encod- 
ing, like the ability to refer to arbitrary states in the run, it is able to avoid the doubling of 
the number of state bits as required by the liveness-to-safety transformation. This doubling 
would increase the size of the already large loop-free predicate needed by the approach. Our 
method also works in the forward direction only (we always have the initial state predicate 
present), unlike some other approaches to obtaining completeness such as |ES031 RS06j . 

Practical experience seems to indicate that already model checking general safety prop- 
erties using induction is challenging |AFF"'"05] . Simply synchronising a finite state automa- 
ton (FSA) representing a safety property with the system to model check safety properties 
from does not scale well, and forces model checkers to go deeper than the current capacity 
of SAT solvers. One reason is the non-determinism in the FSA representing the prop- 
erty |AFF+05l. It seems that specifications using deterministic FSAs can be treated more 



efficiently |AEF+05l lLat03] . Our BMC encodings follow this line of reasoning by trying to 
be as deterministic as possible. 

Two papers that consider strengthenin g of induct ion without always doing deeper BMC 
queries, which is expensive, are |dMRSn3[[AFF+n5| . In [dMRSOSj the inductive method 
of [SSSOOj is generalised to an induction scheme based on simulations. Inductive invariants 
are automatically strengthened from failed induction proofs using a procedure based on 
existential quantification. Since existential quantification is resource intensive, a method 
for quantifying on demand is developed. Another approach is presented in [AFF"'"05] . They 
develop a methodology for flexible manual strengthening of induction. The key idea is to 
make the induction scheme part of the specification to allow a high degree of control of 
the induction process. Counterexamples produced by the model checker aid the designer in 
choosing new invariants. 

Finding a completeness threshold for general LTL properties has proven fairly chal- 
lenging. Clarke et al. |CKOS05] show how the completeness threshold can be computed 
for general LTL properties by computing the recurrence diameter of the product of the 
system and a Biichi automaton representing the negation of the property. Awedh and 
Somenzi |AS06j apply the same approach, but they use a refined method for calculating 
the completeness threshold. Both papers have the problem that they use an explicit rep- 
resentation of Biichi automata in their implementations. Thus, they potentially use an 
exponential number of state bits in the size of the formula to represent the Biichi automa- 
ton. Additionally, our encoding is able to find counterexamples for full PLTL with smaller 
bounds than previous methods for LTL |CKOS04l IAS04j . as these papers employ a method 
for translating generalised Biichi automata to standard (non-generalised) Biichi automata 
in a way (called the counter method in |AS06| ) which does not preserve the minimal length 
of counterexamples. Recently, the authors of |AS04| have refined their approach in |AS06j 
to also in effect use generalised Biichi automata directly (called the flag method in |AS06j ) . 

A different approach to proving completeness is taken by McMillan [McMOSj . He uses 
interpolants derived from unsatisfiability proofs of BMC counterexample queries to over- 
approximate symbolic reachability. The deeper the BMC query is, the more exact the 
over-approximation is. The method is complete and can be extended to LTL model check- 
ing through the liveness-to-safety transformation discussed in Sect.[H Although the method 
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can in many cases converge more quickly than the recurrence diameter, which is the rele- 
vant completeness threshold for most other methods, the unsatisfiability proofs can be of 
exponential size and cause a blow-up. 

Suggested BMC Procedure for Completeness. The incremental encoding of Sect. [6] can easily 
be extended to also prove properties. The basic ideas used are similar to the variant of k- 
induction of |SSS00j discussed above. However, the approach of [SSSOOj is restricted to 
proving invariants, while our approach can handle proving of all PLTL properties. 

The procedure starts with bound k = 0. First we create a completeness formula, 
denoted by {{M,tlj,k)), which is satisfied only for the initialised finite paths of length k 
which one might be able to extend to a bounded witness of formula ip (of length k or 
longer). The completeness formula {{M,ip,k)) we use consists of exactly the incremental 
translation |[M, -0, of Sect. [6] with all fe-dependent constraints removed. Because these 
constraints are a subset of the constraints |[M, ■0, for every k' > k, if {{M,ip,k)) is 
unsatisfiable, so will also |[M, ^/^, be. 

Now, similarly to the A;-induction method, we want to conjunct the completeness for- 
mula {{Mjipjk)) with a simple path formula which is satisfied for only initialised loop-free 
paths. This formula is needed in order to guarantee termination of the procedure. However, 
we use a certain product automaton instead of the Kripke structure itself. The states of 
this product automaton at time point i consist of tuples of: (a) system state Sj, (b) a bit 
vector of values of all formula variables | [ip]\ - , denoted | [s^] |,., (c) a bit vector of values of all 

auxiliary formula variables denoted {{s^))-, and (d) value of the InLoopj predicate. 

As an optimisation we disregard any differences in unrollings d > between two indices 
where InLoopi is false, as these bits are not constrained by the top-level formula, and thus 
are always satisfiable (these are the light nodes of Fig. H]). To do so, we use to denote 

restricted to the bits Kv?]!^- The simple path formula we use is the following: 



If at bound k the conjunction of the completeness {{M, ip, k)) and the simple path formula 
is unsatisfiable the model checked formula -■'(/' holds in the system and the procedure can be 
terminated. Otherwise the witness formula \[M,tjj,k] \ is created (and optionally conjuncted 
with the simple path formula) and the result is satisfiable for bounded witnesses of length 
k to the formula ij^ (see Thm. 16. ip . If the witness formula is satisfiable, the model checked 
formula does not hold, and the procedure can terminate. Otherwise, the procedure is 
repeated after incrementing k by one. 

The \[SimplePath\\^ constraint above is obviously quadratic in k. We could use the 
standard simple path constraint used in other works employing /c-induction by slight mod- 
ifications to the encoding, e.g., forcing the light nodes of Fig. |4]to _L in the encoding. This 
would enable, e.g., using the optimisations of |KS03j . 

The procedure above has been designed to be easily implemented using one incremen- 
tal SAT solver only, and this is what our implementation does. The only place where 
constraints have to be dropped is moving from a witness formula |[M, ^/;, A:]| for bound k to 
the completeness formula {{M,ip,k + 1)) for bound k + 1, at which point all /c-dependent 
constraints of |[M, and everything learned from them by the SAT solver have to be 
dropped. We use implementation techniques similar to those of |ES03] to implement this. 
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We have the following result: 

Theorem 7.1. Given a Kripke structure M and a PLTL formula ^p, M \= ip iff for some 
k > 0: {{M,^7p,k)) A \ [SimplePath]\j^ is unsatisfiable and \[M,^ip,i] \ A \ [SimplePath]\^ is 
unsatisfiable for all < i < k. 

The proof requires the following Lemma: 

Lemma 7.2. Given a Kripke structure M and a PLTL formula ip, if \[M, ^ijj, k]\ is satis- 
fiahle for some k, there is k < k such that \ [M,^^,k] \ A \ [SimplePath]\j^ is satisfiable. 

Proof. We are given that |[M, -■V', A:]| is satisfiable. If | [Af, -!■;/', A;] | A \[SimplePath]\f^ is 
already satisfiable for k we are done. Otherwise, the proof strategy is to show that for some 
k < k the encoding |[M, -i^/;, A:]| is satisfiable, and repeating the process. By the finiteness 
of k, this process can only be repeated a limited number of times. The base case is proved 
by the fact that \[SimplePath]\Q is an empty set of constraints, thus proving termination 
at some k where |[M, -■'(/', A;] | A \ [SimplePath]\^ is satisfiable. 

Consider the induction step where | [M, -iV', A;] | is satisfiable but \[SimplePath]\f^ is not 
satisfiable. Hence, there are < i < j < k such that Sj = Sj, InLoopj 44> InLoop^ and 
either (a): InLoopj A InLoop^ A \ [s^]\- = \[s^]\- A ((s,^))- = {{sip))p or (b): -ilnLoopj A 

-ilnLoopj A |[S(p]|^ = lisi^]]^- In the following we show that also |[M, -1-0, A;]| is satisfiable 

for k = k — j + i, i.e., k < k. Intuitively, we construct a satisfying truth assignment by 
"cutting out" the part of the encoding between indices i + 1 and j (both inclusive) of the 
satisfying truth assignment of |[-/Vf, -n/^, A;]| and "pasting together" the remaining parts by 
reducing all variable indices to the right of the cut point by j — i, obtaining a satisfying 
truth assignment for |[M, -i-f/;, A;]|. 

An exception to the above rule are the formula variables with unrolling index d > 
such that InLoopj is false, i.e., the light nodes of Fig. [H By similar reasoning as used in the 
proof of Thm. [531 their constraints can never lead to the unsatisfiability of the encoding, and 
they can therefore be ignored in constructing the (now actually partial) truth assignment 
below. In other words a satisfying truth assignment for them always exists, and will be fully 
determined by the partial truth assignment for all the other variables to be constructed 
below. 

Note, that in the case a loop exists: either i<j<l or l<i<jas InLoopj 44> InLoop^. 
Hence, the loop start at index I is never cut out. For ease of notation we define a function 
/ mapping indices from the new to the old assignment: 

f{n) = if n < i then n else n + j — i 

With that we define: 

VO < 77, < A; : Sn = Sf{n) 

yO < n < k : In lf(n) 

VO < 77 < A; : InLoop„ ^ InLoop^^^^ 
LoopExists ^ LoopExists 

SE = SE 

We start with the model constraints. Let vr be an initialised path in M induced by a 
satisfying truth assignment of |[M, -it/;, A;]|. Because Si = sj the path fr constructed from vr 
by cutting out indices i + 1 and j (both inclusive) is still an initialised path of M. Hence, 
the model constraints are satisfied. 
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For the loop constraints note first that = Sk both in the case j < k and in the case 
j = k. Furthermore, a loop point is never cut out. Hence, if some // was true in the original 
assignment, there is I such that is true in the new assignment. In this case we also have 
Si_^ = si-i. Thus by simple case analysis of the loop constraints we get that they are 

satisfiable also in |[M, -i^/^, 

What remains to be done is to prove that the formula encoding \[(p]\q is still satisfiable 
in |[M, -1-0, We do this by analysing the structure of the encoding rules for temporal 
formulas. Below, in each case we consider the mapped pairs of indices i, d such that d = or 
InLoopj is true. For simplicity all indices below refer to the original encoding \[M, ^ip, k]\. 

For all future formulas in |[M, -i^/;, A:]| at index i the references to formula values at 
i + 1 have been replaced in the encoding \[M, -1-0, A;]| with references to formula variables 
at index j + 1 (note that potentially j + 1 = k + 1). Now because both the formula values 
at i and j are identical and the future formula constraints at i and j are identical modulo 
index changes, the constraints at i will still be satisfiable with the same truth assignment 
when all references to i + 1 have been replaced with references to j + 1. 

For all past formulas in |[M, ^ip, k]\ at index j + 1 (at the loop index I, when j = k) 
the references to formula values at j have been replaced in the encoding |[M, -■'(/', fe]| with 
references to formula variables at index i. Now because the formula values at i and j are 
identical, the constraints at j + 1 (at the loop index when j = k) will still be satisfiable 
with the same truth assignment when all references to j have been replaced with references 
to i. 

For the auxiliary encoding all the constraints are also satisfied by replacing all references 
to index j in |[M, -i^, k]\ with references to index i in |[M, -i^, k\\. This is the case because 
{{sifi))^ = {{s!p))j holds in case (a) due to the simple path constraint {{s^))^ = {{s,p))j, and 
in case (b) because the encoding for auxiliary variables keeps them constant for all indices 
0<i<j<l. 

Now combining all the cases above we were able to "cut out" a part of the encoding 
|[M, -I'f/', k] \ while still retaining its satisfiability. Thus |[M, -■■0, k]\ will also be satisfiable. □ 

We can now continue with the proof of Thm. 17.11 

Proof. "=^" We only deal with finite models M and finite formulas ^ip. \[SimplePath]\i^ 
must therefore become and remain unsatisfiable from some k onward. From correctness of 
the incremental PLTL eventuality encoding (Thm. \67L\i we have that |[M, -i-i/^,?]! is unsatis- 
fiable for alH > if M ^ -0- 

"<^=" Assume that {{M , ^ip , k)) A \ [SimplePath]\i^ is unsatisfiable for some A; > and 
|[M, -■V',?]! A \ [SimplePath]\^ is unsatisfiable for all < i < A;. As noted above, unsatis- 
fiability of ((M, -1-0, /c)) implies unsatisfiability of |[M, -i-i/;, /c']| for all k' > k. Similarly, if 
\[SimplePath]\f, is unsatisfiable, so is \ [SimplePath]\f,, for all k' > k. Hence, we have that 
I [M, -!'(/', z] I A \ [SimplePath]\^ is unsatisfiable for all i > 0. Using Thm. [6T] together with 
Lemma 17.21 in the reverse direction we can conclude M \= ip. 

□ 

We could also increase the bound k by more than one at a time if the witness formula is 
not conjuncted with the simple path formula. The proof requires the fact that if | [M, ^ip, k] \ 
is satisfiable for some k, it is satisfiable for all k' > k. 
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Lemma 7.3. Given a Kripke structure M and a PLTL formula tp, if |[M, -i^/;, A:]| is satis- 
fiable for some k, then \[M, -i^, k']\ is satisfiable for all k' > k. 

Proof. Assume vr = sq . . . Sk is a bounded witness for -^tjj. We show below that vr can 
be extended by one state so that the result is again a bounded witness for -1-0. By 
Thm. WA\ I [M, A: + 1] I is then also satisfiable. Repeated application gives satisfiabil- 
ity of |[M, ^V, k']\ for any k' > k. 

Consider the no-loop case first. By definition of \=n\, vr extended with an arbitrary suc- 
cessor of s/;, Sfc_|_i, is also a bounded no-loop witness for If vr is a (/c, /)-loop, we rewrite vr 
into a {k+\, Z+l)-loop by delaying the loop start by one state: vr' = sq ■ • • ■SiS^+i ■ • • SfcSfe+i = 
si- Clearly, vr' interpreted as (fc -|- 1, / -|- l)-loop represents the same infinite path as vr inter- 
preted as (A;, /)-loop and, hence, also satisfies D 

Theorem 7.4. Given a Kripke structure M and a PLTL formula tp, M \= tp iff for some 
k > 0.' {{AL , ^ip , k)) A \ [SimplePath]\j, is unsatisfiable and either k = or |[M, -i^/^,/c — 1]| 
is unsatisfiable. 

Proof. The "=^" direction is exactly as in the proof of Thm. 17. 1[ For "<^=" assume that for 
some A; > we have that {{M, ^ip, k)) A {[SimplePathWj^ is unsatisfiable and either /c = or 
I [M, -!■;/', A; — 1] I is unsatisfiable. In the case A; = the result follows directly from Thm. 17.11 
Now consider the case A: > 0. By Lemma l7.3|. we have that |[M, -i-;/;, Ac']| is unsatisfiable for 
all < k' < k. Therefore also obviously |[M, -■■0, A;']| A \ [SimplePath]\i^, is unsatisfiable for 
all < A;' < A; and the result follows from Thm. 17.11 □ 

8. Experiments and Comparisons 

In this section we experimentally evaluate and compare the approaches presented in 
this paper. The benchmarks, implementations, and scripts are available at 

http: //www.tcs .hut .f i/Sof tware/benchinarks/LMCS-2006 



8.1. Benchmark Instances. We mostly use examples of nontrivial complexity. The ma- 
jority are taken from the NuSMV distribution [CCG^02] . one is from the examples of the 
Rebeca tool jSMSdBn4j . and two are from previous work of the authors |SB03l ILBHJ05] . 
Table [1] provides a brief description of the models. For "1394" and "dme" we use instances 
of different sizes (indicated by the numerical parameters). For "1394" a buggy variant is 
used as well (denoted "1394b"). 

Table [2] gives templates of the properties used. The first column states the name of the 
model. Columns 2-4 indicate names and truth of the properties. To save space we combine 
a property and its negated version in a single line. The negation of property "p" is later 
referred to as "-ip". Truth is indicated by "t" for true, "f" for false, "?" for unknown (if 
none of our approaches terminated successfully), and "-" for not used. Sometimes we make 
the resulting witnesses more interesting by requiring that the request of a request-response 
property holds infinitely often (marked "nv" ) . We also prefix a property with "F " to turn 
a safety property into a liveness property. For "1394" the first entry in column 3 refers 
to the correct, the second to the buggy version. The last two columns give past operator 
depth and the template of the property. 
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model 


state- 
bits 


description 


source 


1394{b}-[345]-[23] 


97-197 


IEEE 1394 Fire Wire tree identify protocol with 3-5 nodes and 


|SB03| 






2 or 3 ports per node 




abp4 


30 


alternating bit protocol for 4 bits 


|CCG+02] 


brp 


45 


bounded retransmission protocol 


[CCG+02] 


counter 


3 


3-bit counter 


tCCG+02j 


csmacd 


126 


MAC sublayer of CSMA/CD protocol 


[SMSdB04j 


dme[35] 


54, 90 


asynchronous distributed mutual exclusion circuit with 3 or 5 


[CCG+021 






nodes 


|CCG+02] 


mutex 


5 


mutual exclusion with 2 participants 


pci 


64 


PCI Bus protocol 


|CCG+02| 


prod-cons 


26 


producer consumer 


[CCG+02| 


production-cell 


54 


production cell control model 


[CCG+02] 


bc57-sensors 


78 


reactor system model 


[CCG+02| 


ring 


3 


3 inverters forming a cycle 


[CCG+02] 


short 


2 


simple request handler 


[CCG+02] 


srg5 


8 


5 bit shift register 


|LBHJ05| 



Table 1: Models used in the experiments 



8.2. Implementations. Following the automata-theoretic approach to LTL |VW86j . a mo- 
del checking procedure consists of encoding the property and subsequent fair cycle detection. 
As a special case, the second step can be performed by applying the liveness-to-safety trans- 
lation and doing invariant checking. Where available we use off-the-shelf model checking 
procedures that include all steps to evaluate a particular approach. We make the following 
exceptions to that rule. Our implementation of the liveness-to-safety translation has the 
encoding of the property included but needs to be complemented with an algorithm to check 
invariants. To determine whether the effort of a dedicated implementation of a BMC en- 
coding with the corresponding opportunities for optimisation is worthwhile we also combine 
our BMC encodings with the liveness-to-safety translation and with separately generated 
Biichi automata (Fig. [7||e), (f)). Finally, when comparing a tight with a non-tight Biichi 
automaton in BDD-based symbolic model checking we invoke the conversion from LTL to a 
Biichi automaton externally for both variants to minimise the influence of different variable 
orders (Fig. HI,])). 

Encoding of PLTL properties for model checking has been widely researched (for ref- 
erences see Sect. [3^31) . However, in symbolic model checking, the dominating encodings are 
still more or less close to a symbolic implementation of the tableau construction |LP85] 
in [BCM+92 , ICGH97j . This shifts a potential exponential blow-up from generation of the 
Biichi automaton to the search for a fair cycle. All encodings presented in this paper fall in 
this category. The question whether optimised Biichi automata constructions actually yield 
better overall performance in symbolic model checking algorithms is still open: while actual 
search for a fair cycle seems to benefit from optimised Biichi automata, there are cases where 
those benefits are more than offset by generating the Biichi automaton [STV051 ICRST06] . 
Note, finally, that we currently don't have a construction that yields an explicit Biichi au- 
tomaton that is both, small and tight. In Fig. Wi^) below we evaluate whether there is any 
overhead in forming the product of the model and the Biichi automaton for the property 
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Table 2: Templates of the properties used in the experiments 



first and have the conversion to SAT only encode the search for a fair cycle compared to 
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encoding the property in a way very similar to such Biichi automaton as part of the con- 
version to SAT (which our encodings do). Therefore, the translation of a PLTL formula 
into a Biichi automaton in Fig. [Tl^f) is chosen to be similar to our BMC encoding. Com- 
paring the performance of optimised translations from PLTL into Biichi automata with 
SAT-based approaches is out of the scope of this work. Similar reservations apply to our 
other experiments. 

The details of the approaches and implementations used in the experiments are listed 
below. The first four approaches include all steps while the latter three are partial. 

CAV2005(c,u,o): means an implementation of a linear, incremental BMC procedure 
for PLTL on top of NuSMV 2.2.3. The exact BMC encoding is described in Sect. [6] 
and is essentially the encoding given in [H JL05j . The parameters describe 

• whether the completeness check of Sect. [7] is enabled (c = compl) or not (c = 
nocompl), 

• whether full virtual unrolling is applied (n = unroll) or not (u = nounroll), and 

• whether the optimisations described in Sect. 5 of |HJL05j are active (o = opt) 
or not (o = noopt). 

VMCAI2005: stands for an implementation of a linear, non-incremental BMC pro- 
cedure for PLTL on top of NuSMV version 2.2.3. The exact BMC encoding is 
described in [LBHJOSj : it is very similar to the non-incremental PLTL encoding 
given in Sect. 15.11 except that it uses the fixed point encoding similar to that in 
Sect. 13.11 instead of the eventuality encoding. 

NuSMV(BMCLTL): is an example of a non-linear, non-incremental BMC encoding. 
It is the standard way to perform SAT-based bounded model checking for PLTL in 
NuSMV [CCG+02| . version 2.2.3. For a description see |BC03j . 

NuSMV (BDDLTL): is the standard method for BDD-based PLTL model checking in 
NuSMV [CCG+ 02], version 2.2.3. The property is translated into a symbolic Biichi 
automaton with |KPR98| . Cycle detection is performed with the backward version 
of the Emerson-Lei algorithm |EL86| : we always enabled the restriction to the set 
of reachable states. Neither dynamic reordering nor model-specific variable orders 
are used. 

L2S(i,o): is the liveness-to-safety transformation. The implementation of the trans- 
formation is based on previous work |SB04l ISch06| rather than on the formulation 
in Sect.m The encoding of the automaton representing the property is based on the 
construction outlined in Sect. 15.21 but is slightly modified for a tighter integration 
with the liveness-to-safety transformation. As an example, the signals indicating 
the start of the looping part and the end of a loop iteration are provided directly 
by the reduction rather than being separate input variables. The result is close to 
|LBHJ05] — in fact, |LBHJ05] was the starting point of our construction of a tight 
Biichi automaton. 

The first parameter states which degree of virtual unrolling is used in the encoding 
of the property: 

• t = tight means full virtual unrolling up to the past operator depth of the 
property, and 

• t = notight performs no virtual unrolling at all. 

The second parameter, o, indicates whether variable optimisation (see Sect. 14. 2p is 

• enabled (o = ic), or 

• not (o = none). 
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Identification of input and constant variables is largely based on (conservative) syn- 
tactic criteria: a variable v in an SMV model clearly is an input variable if v appears 
only on the right-hand side of next assignments such that v is not itself in the scope 
of a next operator. Sometimes knowledge of a model was used to conclude that a 
variable is either a constant or an input variable. 

A full model checking procedure is obtained in combination with any of the pre- 
vious four or with NuSMV(BDDINVAR) below. We only use CAV2005 and 
NuSMV(BDDINVAR) . 

B(t): stands for a symbolic implementation of a Biichi automaton. The parameter t 
indicates whether a tight (t = tight) version is used or not (t = notight). The former 
corresponds to Sect. 15.21 while the latter is produced by NuSMV's ltl2smv tool, 
which implements |KPR98j To obtain a model checking procedure we combine 
B{t) either with NuSMV(BDDLTL) or with CAV2005. 

NuSMV(BD DINVAR) : is BDD-based forward invariant checking with version 2.2.3 
of NuSMV [CCG+02| . We use this to perform BDD-based model checking with the 
liveness-to-safety transformation. State variables of the original model and their 
second instances are interleaved, but neither dynamic reordering nor a model-specific 
variable order are employed. 



8.3. Results and Comparisons. 

8.3.1. Setting and notation. We ran the benchmarks on Linux PC machines with a AMD 
Athlon(tm) 64 3200-1- processor and 2 GB of memory. The memory limit for each run was 
set to 1.5 GB and the time limit to 1 hour by using the Linux ulimit command. For all 
SAT-based BMC procedures we used zChafF |MMZ+Ol) . version 2004.11.15, as the SAT 
solver. 

Tables [3] and H] show the results for selected approaches. The a columns tell whether 
the property was found to be true (t) or false (f) in the instance (model, property) by the 
approach in question. The running times in f-columns are given in seconds except that 
TO (MO) means that the instance was not solved because of a timeout (running out of 
memory). For L2S(t,o)-|-X and 'B{t)+X approaches the running time does not include the 
liveness-to-safety transformation or Biichi automaton generation time, but only the solving 
time of XH 

The BMC-based approaches were run in the usual way: starting with the bound and 
increasing it by one until (i) a counterexample or a proof was found, or (ii) the time or 
memory limit was reached. In the incremental approaches (CAV2005) there is only one 
SAT instance that is updated and solved again when the bound increases, while in the non- 
incremental approaches (VMCAI2005,NuSMV(BMCLTL)), the SAT instance for each 
bound is independently generated and checked. The fc-columns give the bound that was 

"'^'^Note, that the notight version still accepts shortest counterexamples for the future fragment of LTL. 
This is in contrast to the notation used in |AS06) where "tight" refers to an automaton based on |CGH97| 
(i.e., |KPR98) restricted to the future fragment of PLTL) and "non-tight" to one based on |SBOO) . 

-'^^Note that both the liveness-to-safety transformation and the Biichi automaton generation are performed 
symbolically and, therefore, can be done in polynomial time in the length of the description of the model 
and the formula. 
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reached. In particular, if the problem was solved (no TO or MO in the i-column), the k 
column gives the length of the counterexample or the bound required to prove the property. 

For BDD-based approaches, the |cex|-column gives the length of the produced coun- 
terexample. 

Fig. [6] shows scatter plots comparing the running times of different approaches to solve 
the benchmark instances. Red squares denote benchmark instances where the property is 
false (i.e., they have a counterexample), and black diamonds denote instances where the 
property holds. As mentioned earlier, the time limit was set to 3600 seconds (1 hour): 
timeouts are denoted by the time "value" 7200 and running out of memory by the time 
"value" 14400 in the scatter plots. 

8.3.2. Evaluation of different approaches. Comparing the columns NuSMV(BMCLTL) 
and VMCAI2005 of Table [3l plotted against each other also in Fig. El^a), we can see 
the positive effect of having a more compact BMC encoding for PLTL formulae. Most of 
the properties we use involve past operators and for such formulae the encoding of VM- 
CAI2005 |LBH.T05j is linear in k while the encoding of NuSMV(BMCLTL) |B(]03j is 
not. 

From the columns VMCAI2005 and CAV2005(nocompl,unroll,opt) of Table [3] and 
from Fig. ^h) we see that by adapting the compact encoding of VMCAI2005 to exploit 
modern incremental SAT solvers gives an additional major performance boost. Note that 
although VMCAI2005 uses a fixed point encoding while CAV2005(nocompl, unroll, opt) 
uses eventuality encoding, we can claim that the major part of the observed performance 
boost is due to incrementality because of the results in Table 1 of |HJL05| : VMCAI2005 
and CAV2005(nocompl, unroll, opt) with no incrementality seem to behave very similarly. 

As we can see from Fig. [6|^c) , the effect of doing virtual unrolling on the running times 
is not clear. However, there are slightly more cases in which unrolling helped than where 
it made things slower. This is due to the fact that unrolling can shorten counterexamples 
for formulas with past operators. Figure [7l|a) illustrates that removing virtual unrolling 
may increase the counterexample length not only in theory but in practice, too. We also 
experimented with the option of not applying the optimisations of |HJL05l Sect. 5] in 
C AV2005 and found that the optimisations don't seem to have noticeable effect in practice, 
except that they sometimes reduce the bound required to prove a property when virtual 
unrolling is applied. 

Figure M^d) shows the effect of adding the completeness check described in Sect. [7] to 
the incremental PLTL BMC procedure CAV2005(nocompl, unroll, opt). The results demon- 
strate that the completeness check (i) enables one to sometimes also prove properties and not 
only find counterexamples, and (ii) generally slows down the BMC procedure by a factor of 
2 or 3. However, if we compare the incremental and complete CAV2005(compl, unroll, opt) 
to the non-incremental and incomplete VMCAI2005, we see that incremental SAT solving 
techniques allows us to have a complete BMC procedure that almost always outperforms 
a non-incremental and incomplete state-of-the-art BMC procedure on the benchmarks we 
ran. 

In Fig. EJe) and (f) we compare bounded model checking with the specialised BMC 
encoding CAV2005(nocompl, unroll, opt) with an encoding based on the liveness-to-safety 
transformation (requiring only invariant checking in the BMC procedure) and based on using 
a tight Biichi automaton (requiring only fair loop detection in the BMC procedure) . There is 
a noticeable overhead when using the liveness-to-safety transformation while, based on our 
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set of experiments, we cannot conclude that a specialised encoding improves performance 
over the Biichi automaton. A main benefit of the specialised BMC encoding is, however, 
that it can also capture no-loop counterexamples. 

Figure [6]^g) contrasts finding shortest counterexamples using a BMC-based and a BDD- 
based method. While the former solves slightly more instances (that have a counterexample) 
within the given resource bounds, there are also some instances that it can not solve but 
the latter can. With respect to running time there is no clear winner either. 

If we compare standard BDD-based PLTL model checking (NuSMV(BDDLTL)) and a 
state-of-the-art complete BMC procedure (CAV2005(compl,unroll,opt)), refer to Fig. [6|^h), 
we can see that they are quite incomparable. Although the BDD-based approach seems 
to be better in proving properties as it produces less timeouts and memouts, there are 
instances that BMC proves much faster. And vice versa for properties having counterexam- 
ples: NuSMV(BDDLTL) solves (brp,-iO,nv) much faster but it (or any of the BDD-based 
methods we experimented) cannot solve the properties appearing in Tables [3] and U] on the 
1394-5-2 and 1394b-6-4 models. 

Using a tight Biichi automaton with standard BDD-based model checking incurs a 
severe performance penalty (Fig. Ell^i)). The lengths of the counterexamples produced by 
the tight and non-tight variants are very different with neither being consistently better 
(Fig.El^b)). Note that B(tight)-FNuSMV(BDDLTL) does not necessarily produce shortest 
possible counterexamples although it uses tight automata: the fair path finding algorithm 
employed in NuSMV(BDDLTL) does not produce shortest fair (k, /)-loops. 

Tightness tends to come with a price in the liveness-to-safety and BDD-based approach 
as seen in Fig. [6l^j), though less noticeable than in the standard BDD-based approach. While 
there is a price that grows with increasing past operator depth for some examples (1394- 
4-2,p2-4 and production-cell, pO/2/1), there is also the opposite case (1394b-4-2,p2-4). For 
the production-cell examples the partial unrolling optimisation proved valuable (not shown 
here): one level of unrolling (i.e., treating the specification as having past operator depth 
1) gives shortest counterexamples as with a tight encoding but takes time only as with a 
non-tight encoding. 

BDD-based model checking using the liveness-to-safety transformation is often faster 
than the standard approach of using BDDs (Fig. (H^k)) when the property is false, while 
it is typically slower for true properties. Further analysis indicates that early termi- 
nation might play a role in this behaviour. Another, yet unexplored factor could be 
that L2S(t, o)-l-NuSMV(BDDINVAR) uses a forward invariant checking algorithm while 
NuSMV(BDDLTL) uses the backward version of the Emerson-Lei algorithm. While not 
shown, L2S(t,o) -|- NuSMV(BDDINVAR) tends to use more memory for both, false 
and true properties |Sch06j . However, it produces significantly shorter counterexamples 
(Fig. \T[c)) and is able to solve some examples where the standard approach reaches the 
time or memory limit. Note that the gain in counterexample length in (Fig. UHc)) is the 
same when using CAV2005 with unrolling. 

The plot in Fig. [6]^1) illustrates that the variable optimisation presented in Sect. 14.21 
helps in BDD-based model checking with the liveness-to-safety transformation as expected, 
and it does not seem to have any adverse side effects. 

We also experimented with a combination of the liveness-to-safety transformation and 
the temporal induction of |ES03j . That is, we use L2S(t,ic) to transform the PLTL problem 
to an invariant problem and then apply the temporal induction algorithm implemented 
in NuSMV (the command check_invar_bmc_inc -a zigzag). We were surprised that the 



LINEAR ENCODINGS OF BOUNDED LTL MODEL CHECKING 



55 



resulting approach could not prove any of the true properties among the benchmarks we ran. 
We have no explanation for this behaviour at the moment, but we suspect that the liveness- 
to-safety transformation and the backwards working completeness checking of |ES03] might 
not fit together well. 

9. Discussion and Conclusions 

When comparing BMC approaches, the linear sized dedicated BMC encodings for PLTL 
offer better performance than alternative approaches based either on symbolic Biichi au- 
tomata using the liveness-to-safety transformation or the original BMC encodings. The 
main advantage of the dedicated encodings over approaches using symbolic Biichi automata 
with fair loop detection is the ability of the dedicated encodings to also detect no-loop coun- 
terexamples. Adapted to incremental SAT solving techniques, BMC based on our encodings 
offers an efficient method for finding bugs. Virtual unrolling proved a useful technique to 
obtain both BMC encodings and Biichi automata that accept shortest counterexamples. 
The BMC experiments also show that the shorter counterexamples often lead to shorter 
times needed to find counterexamples to PLTL properties. 

Using the liveness-to-safety translation with BDD-based invariant checking represents 
a competitive way to produce shortest counterexamples. For both SAT- and BDD-based 
approaches that find minimal length counterexamples there are problem instances that are 
solved by one approach but not by the other. Thus neither approach dominates the other. 

When it comes to proving complex properties, the BMC approach presented here cannot 
yet compete with BDD-based methods. However, there are cases where our BMC approach 
is faster than the BDD-based approaches. Improving the capability to prove properties with 
BMC is therefore an important research direction. 

There are at least two complementary research directions on proving properties of 
larger systems with BMC. One direction is based on generating stronger invariants than 
the current completeness formula. This can be done by adding invariants to formula states 
such as to bind variables that are free. The invariants can be deduced from PLTL 

semantics. Another approach for generating invariants is formulating invariants based on 
the system's behaviour |dMRS03l IAFF+05| . The capability to prove properties can also 
be greatly improved if the \[SimplePath]\ j,-predicate would have to include fewer state 
bits. A cone-of-influence reduction |CGP99j tailored for full PLTL or implementing the 
variable optimisations mentioned in Sect. 14.21 also for BMC could make this possible. Some 
insights might be gained by understanding why the combination of fc-induction and the 
liveness-to-safety transformation performs so poorly for proving properties. We would also 
like to investigate methods based on Craig interpolants [McM03j to better understand the 
implementation techniques needed and performance obtainable from that method. 

In this work we have concentrated on BMC encodings of PLTL properties. There are 
also other places where BMC can be improved. For example, |She04| discusses methods 
to improve CNF generation employed inside a prototype NuSMV variant used in |CRS04j . 
an area we have not covered in our BMC implementations. Using SAT preprocessors, 
such as |EB05j . to simplify the CNF after generation, is an alternative. Usually bounded 
model checking papers take the system transition relation T(s, s') as given and do not 
try to exploit any special properties it might have. By more careful encoding of T{s, s') 
significant performance gains can be obtained, at least for special classes of systems such 
as asynchronous systems |Heini[ iKNOSl I.THNn5[ [Jus?i5] . 
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Figure 6: Scatter plots comparing the running times (in seconds) of different approaches 
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Although PLTL is exponentially more succinct than LTL, it cannot express all uj- 
regular properties unlike some industry standard specification languages such as Accellera's 
PSL |Acc04iriEE05j . There are some encouraging initial results on bounded model checking 
of w-regular properties very recently published [HJK"'"06 , building on top of the work 



presented here. For an alternative approach to handling w-regular properties, see [BCP"'"06 
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